10 things you didn't know about the Koobface gang

The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 12 things you didn't know about the Koobface gang list.
Written by Dancho Danchev, Contributor

Click here to see a gallery of Koobface pranks

With Koobface continuing to spreading across Facebook by utilizing hundreds of compromised sites as infection vectors, next to using them as distributed hosting infrastructure in an attempt to undermine potential take down activities, a common misconception regarding the gang's activities shifts the attention from their true participating within the underground ecosystem.

The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 10 things you didn't know about the Koobface gang list.

Some are funny, others are disturbing,  the majority indicate a cybercrime ecosystem that actively keeps itself up-to-date with the very latest research profiling it, by reading the blogs of security vendors and researchers.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet

In September, 2009, researchers from ClickForensics established an interesting connection between the Bahama botnet -- the name comes from the 200,000 parked domain sites located in the Bahamas where they were redirecting the traffic to -- between what I refer to as my "Ukrainian fan club" due to the offensive messages they were including in the redirectors every time I exposed and shut down one of their campaigns.

Malware samples pushed by the Koobface botnet, were modifying HOSTS file on the infected hosts, in an attempt to redirect the user into a bogus Google featuring pharmaceutical ads, as well as related cybercrime-friendly search engines in order to monetize the hijacked traffic. The "Ukrainian fan club" itself, appears to be the blackhat SEO department for the Koobface gang, whose connections to the following campaigns, as well as the multiple connections linking it to the then centralized Koobface infrastructure, resulted in the take down of the Koobface-friendly Riccom LTD - AS29550 in December, 2009.

How did the gang respond? With a bold sense of humor.

02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video

Just when you start thinking that quality assurance is daily routine for these botnet masters, imagine my surprise when an October, 2009 spoof of YouTube page, was actually a screenshot taken by using a trial version of the HyperSnap.

The result? A "Created with HyperSnap 6. To avoid this stamp, buy a license" at the bottom of the screenshot, shown to everyone visiting a Koobface infected hosting serving it. The entire YouTube spoof was basically a screenshot taken from a legitimate video page, with the spoofed Adobe error message, being the only part of it that was clickable.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September

Data and real-time OSINT (open source intelligence) analysis speaks for itself. With ClickForensics establishing a connection between my "Ukrainian fan club" the Bahama botnet, and the malvertising attacks, the assessment of the incident further confirmed this connection based on historical OSINT gathered from their previous blackhat SEO campaigns.

The Koobface/Ukrainian fan club connection? The same redirector used in the NYTimes malvertising attack, was not only simultaneously found on Koobface infected hosts, but was also profiled a month earlier in the "Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign", a blackhat SEO campaign maintained by them.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts

With Koobface representing a case-study on successful propagation across social networking sites, relying on social engineering only, in November, for the first time ever, they conducted an experiment lasting several hours, where client-side exploit serving iFrames were embedded on Koobface infected hosts.

Sampled exploits included VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF, moreover, despite the Koobface gang's claim -- more on that claim and their bold sense of humor in an upcoming poing -- on the very same IP hosting the exploit serving domain, there was an active Zeus crimeware campaign.

By embedding these particular domains, the gang also exposed an affiliation with an author of a popular web malware exploitation kit. Whether the experiment was meant to test its exploitation capabilities before the gang would start serving exploits permanently remains unknown. A few hours after their experiment was exposed, they suspended it.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009

Remember the massive blackhat SEO campaign from November, 2009, where 1+ million web sites were found compromised and serving scareware?

Real-time monitoring of the campaign, and cross checking the data with real-time monitoring of Koobface activity revealed an interesting observation. The redirectors embedded on the compromised web sites, are also the same redirectors found on Koobface infected hosts, both pushing scareware.

Are Mac OS X users left behind? -->

06. The Koobface Gang Monetizes Mac OS X Traffic through adult dating/Russian online movie marketplaces

Earlier this month, upon analyzing the techniques the gang uses to efficiently compromise web sites and backdoor them, I stumbled upon an early stage experiment attempting to monetize Mac OS X traffic through legitimate and fraudulent dating agencies.

Over the past two weeks, the gang has changed the monetization, and is now currently redirecting Mac OS X visitors to an online movie marketplace, based on whose registration details we can clearly seen that the email used to register the site in question, has also been used to register dozens of scareware/fake security sites. You judge the legitimacy of the service.

This very same Mac OS X monetization attempt was also seen in a blackhat SEO campaign (News Items Themed Blackhat SEO Campaign Still Active) managed by the gang in September, 2009.

07.  Ali Baba and 40 LLC a.k.a the Koobface gang greeted the security community on Christmas

Throughout the entire 2009, the Koobface gang which now officially describes itself as Ali Baba following my discovery of their pseudonym on a compromised web site -- Ali baba is a fictional character from medieval Arabic literature, with Aliba Baba and 40 as the film adaptation of the "Ali Baba and the Forty Thieves" -- proved that it keeps itself up-to-date with the latest research done against it.

Around the time when the Koobface-friendly Riccom LTD - AS29550 was taken offline, the gang on purposely embedded a bold greeting on Koobface infected hosts in an attempt to legitimize its activities by stating that it is not a virus, and that they have never stolen financial data. Ironically, the gang also included a "Wish Koobface Marry Christmas" script, where over 10,000 people have surprisingly clicked. I wonder how many of these people inquired about a PC repair service, or filed a (scareware) fraud report once they checked their bank statements at the end of the month?

The message they included on the Koobface infected hosts is as follows:

"Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our software to:

  • Kaspersky Lab for the name of Koobface and 25 millionth malicious program award;
  • Dancho Danchev (http://ddanchev.blogspot.com) who worked hard every day especially on our First Software & Architecture version, writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of course analyzing software under VM Ware;
  • Trend Micro (http://trendmicro.com), especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a very cool document (with three parts!) describing all our mistakes we've ever made;
  • Cisco for their 3rd place to our software in their annual "working groups awards";
  • Soren Siebert with his great article;
  • Hundreds of users who send us logs, crash reports, and wish-lists.

In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook'ssecurity team - the guys made us move ahead. And we've moved. And will move. Improving their security system. By the way, we did not have a cent using Twitter's traffic. But many security issues tell the world we did.

They are wrong. As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit cards.

Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on it :) Wish you a good luck in new year and... Merry Christmas to you!

Always yours, "Koobface Gang "

Who is is Soren Siebert?According to the folks at Abuse.ch, who also maintain the ZeusTracker (Crimeware tracking service hit by a DDoS attack):

  • On my blog you will find a reference to a disclaimer page in the navigation bar. The disclaimer is written in German and was generated with a impressum generator provided by e-recht24.de. So the Koobface gang just came across this name on my disclaimer and thought that this is my name.

08. The Koobface gang once redirected Facebook's IP space to my personal blog

In 2009, the Koobface gang had a fixation on me, which didn't come to as a surprise given the comprehensive connections that I was able to establish. That's of course next to the take down of the majority of command and control servers used in Koobface 1.0, over a period of 24/32 hours, which prompted the gang to implement their contingency plan, one they appear to have been developing for a while.

In July, 2009, I was the only individual ever singled out, with the gang leaving the following message within their command and control infrastructure for nine days:

  • "We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software."

Pretty diplomatic way of thanking me for having them kicked out of their ISPs, and systematically suspending the domains that botnet used as foundation for propagating and communicating with the already infected hosts? Depends.

In the next few months, the gang was experimenting with various ways to show me that they're aware of my research/take down activities by typosquatting domains using my name such as pancho-2807 .com (registered to Pancho Panchev; pancho.panchev@gmail.com), followed by rdr20090924 .info (registered to Vancho Vanchev, vanchovanchev@mail.ru). Then they decided to set a new benchmark.

In September, 2009, while checking my daily stats I noticed a sudden peak of visitors.  Digging a little deeper I was surprised to see that all of them were coming from within Facebook Inc's network. What the Koobface gang did, was to basically redirect Facebook's IP space to personal blog, every time a Facebook crawler was visiting their automatically registered Blogspot accounts.

Upon contacting Facebook's Security Incident Response Team, the folks implemented a filter and responded by confirming this was happening:

  • Thanks for bringing this to our attention. I'm on the Security Incident Response team at Facebook and we just finished looking into this issue. We visit all links posted to Facebook as part of our link preview feature. We also take the opportunity to do some additional security screening to filter out bad content. Koobface in particular is fond of redirecting our requests to legitimate websites, and you seem to have done something to piss Koobface off. All visits to Koobface URLs from our IP space are currently being redirected to your blog.

Pretty dynamic "relationship", isn't it?

09. The gang is experimenting with alternative propagation strategies, such as for instance Skype

With the Koobface botnet under the microscope of the security community, the gang is naturally interested in switching its social engineering tactics, or looking for alternative propagation methods.

In November, 2009, security vendors detected a new Koobface variant indicating their long-term strategy of diversifying the propagation vectors - by using Skype. The sample analyzed back then, was also collecting personally identifiable information from the affected users, a practice that is often used when a malicious attacker is building the foundations for a successful social engineering campaign.

Why would the gang bother propagating through Skype with such a well developed Web 2.0 propagation strategy already in place? Greed is the first thing that comes to my mind.

10. The gang is monetizing traffic through the Crusade Affiliates scareware network

Originally exposed in September, 2009's "Koobface Botnet's Scareware Business Model" post (See Part Two as well), when they officially started serving scareware each and every time a user visits a Koobface infected page, the Crusade Affiliates network appears to be primary choice for the Koobface gang in terms of scareware monetization.

Once its key domain got suspended, the network went undercover, although it appears that the entire network may be an exclusive operation maintained by, and used only by the Koobface gang in an attempt not to attract so much attention to its activities. This operational security (OPSEC) practice on behalf of Koobface and the network has been evident ever since, with the lack of branding whereas the gang still collects the revenue from the network, which is naturally earning profit thanks to the Koobface botnet.

Scareware continues being the single most profitable monetization strategy used by the gang. The success of this business model is pretty evident with PC repair shops noticing an increasing demand for their services thanks to scareware/fake security software (See a gallery of different scareware releases) infections.

Your most pragmatic strategy when fighting scareware n general, remains secure browsing, awareness (The ultimate guide to scareware protection), or plain simple sandboxing.

Editorial standards