Wednesday, August 19, 2009

Movement on the Koobface Front - Part Two


UPDATE13: The domain snimka31082009 .com has been suspended. Just like the domains listed in UPDATE11, it's worth pointing out that once the PrivacyProtect.org whois records return to their original state, all of the domains are registered using the name Rancho Ranchev -- from Ukraine with typosquatting.

UPDATE12: A new Koobface domain is in circulation across Facebook - snimka31082009 .com -- snimka means photo -- which redirects to the Chinese IP (China Railcom Guangdong Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week - 61.235.117.83 /redirectsoft/go/fb_w.php. The snimka31082009.com domain is in a process of getting shut down. 

UPDATE11: The latest Koobface domains masa31082009 .com - Email: yxlvpewoztjox@gmail.com; pari270809 .com - Email: baoyshzrcwmraq@gmail.com; rect08242009 .com and suz11082009 .com have been suspended.

The Koobface gang has also changed the C&C domain in their latest updated pushed throughout the past couple of days. Interestingly, it's a subdomain used in the Twitter campaign from July - cubman32 .net.ua/.sys/?action=ldgen&v=14 and cubman32 .net.ua/.sys/?action=ldgen&f=0&a=-531027389&lang=&v=14&c=0&s=ld&l=1000&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2. 

UPDATE10: Two new Koobface domains, and a new redirector are in circulation across Facebook - rect08242009 .com (61.235.117.83) and pari270809 .com, which redirects to masa31082009 .com/go/fb_w.php. The "fan club" has also introduced updated the malware - web.reg .md/1/v2prx.exe.

The domains, pari270809 .com, rect08242009 .com and masa31082009 .com are in a process of getting shut down.

UPDATE9: Domain zadnik270809 .com - Email: baoyshzrcwmraq@gmail.com has been suspended.

UPDATE8 Koobface reactivated itself once again at 61.235.117.83 - China Railcom Guangdong Shenzhen Subbranch - a well known Zeus crimeware C&C, which is also apparently used for automatic hacking of third-party sites through compromised FTP accounts.

The gang has also introduced a new domain, used exclusively for Facebook campaigns - zadnik270809 .com - in particular zadnik270809 .com/youtube.com/w/?video which loads zadnik270809 .com/youtube.com/w/ups.php and redirects to a well known Koobface redirector kiano-180809 .com/go/fb_w.php.

Zadnik means a**hole. Domain suspension and IP take down are in progress.

UPDATE7: Earlier today, TelosSolutions confirmed that "this customer has been removed from our network". Great news taking into consideration the fact that Directi's Abuse Desk has also suspended boomer-110809 .com, as well as upr200908013 .com.

The Koobface gang responded to the take down action by once again moving to China, 61.235.117.83 (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has been taken care of, with all of Koobface campaigns once again in an "inactive stage". It's worth pointing out that kallagoon13 .cn and allavers .org are also parked at this Chinese IP, with both domains clearly involved in Zeus crimeware campaigns. 

UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the Koobface C&C and campaign domains to 91.212.127.140. Take down activities are in progress.

UPDATE5: Oc3 Networks & Web Solutions Llc abuse team took care of 67.215.238.178. All of Koobface worm's campaigns once again redirect to nowhere.

UPDATE4: Koobface has been kicked out of China -- again -- courtesy of China's CERT, and is no longer responding to 221.5.74.46. This is the second time that the Koobface gang is using the same IP for its central campaign domains, clearly indicating an ISP which "reserves its right to offer them services in the future once they stop receiving abuse notifications".

So which hosting provider's services is the Koobface botnet using for the time being? It's 67.215.238.178 - AS22298 - Netherlands Distinctio Ltd, which they were also using in the beginning of the month. A new domain is in circulation across social networks/micro blogging services - kiano-180809 .com/go/fb2.php (67.215.238.178) Email: bigvillyxxx@gmail.com. Take down activities are in progress.

UPDATE3: The entire portfolio of Koobface related domains is now parked at 221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN. For instance, xtsd20090815 .com/youtube.com/xexe.php redirects to the actual IP 221.5.74.46 /redirectsoft/go/fb2.php with piupiu-110809.com/achcheck.php, web.reg.md /1/prx90.exe and web.reg.md/1 /prx90.exe as phone back locations. Two new components are dropped DDnsFilter.dll - MD5: 0x8904BCEBACB2B878FF46C5EB0C5C57EB and DnsFilter.sys - MD5: 0x30DD915396E46824DA92FE70485F7CF8 which prevent infected users from interacting with antivirus vendor sites.

UPDATE2: The gang has responded to the take down activities, by using the only IP that wasn't shut down 221.5.74.46, with piupiu-110809 .com, upr200908013 .com, and upr200908013 .com already moved there.

Interestingly, now that the gang's centralized domains used in the majority of campaigns are not responding thanks the quick reaction of BlueConnex, they've started embedding up to 15 iFrames directly loading IPs from the Koobface botnet. The script is detected as Trojan-Clicker.HTML.IFrame.a. The pattern? Each and every host is serving the fake Facebook page from a similar directory - /0x3E8/. 221.5.74.46 is in a process of getting shut down.

UPDATE: Three hours after notification, Blue Square Data Group Services Limited ensures that "the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere. Let's see for how long.

Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer Koukou Roukou sold in the 90's? It's one of new domains introduced over the past seven days (kukuruku-290709 .com now offline thanks to community efforts).

What is the Koobface gang up to anyway? Despite that they've randomized the automatically generated directories on the compromised sites (kimchistory.freevar .com/fantasticfi1ms; tastemasters .ca/freeem0vie; simonsoderberg .se/mmym0vies; ekespangs .se/meggavide0; akesheronline .com/privalesh0w; belljarstudio .com/bestttube), the gang continues relying on centralized hosting for its campaigns.

During the week, they've migrated from 67.215.238 .178/redirectsoft/go/fb_s.php (PacificRack.com) to 85.234.141 .92/redirectsoft/go/fb_s.php (BlueConnex Ltd), interestingly, they did so with all of the their currently active domains, the ones used as central redirection points on the thousands of legitimate/malicious sites participating in their campaigns. Interestingly, merely suspending a domain name wouldn't get you a personal greeting from the Koobface gang, since they'll basically register a new one. Getting them kicked out of several different hosting providers simultaneously would. Upon having their newly pushed domains shut down, the gang stopped using domains and switched to the original IP of their hosting provider, once again requiring a direct ISP action, instead of domain registar's one.

Koobface C&C, central malware campaign domains suspended through community efforts:
- glavnij20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92
- kukuruku-290709 .com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92
- superturbo20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Super Turbo is yet another legendary product sold in the 90's)
- bombimbom20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (Bombi Bom is also a classic chewing gum sold in the 90's in Europe/Eastern Europe)
- mishkigammy-060809.com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92

Currently active Koobface C&C domains, also participating in the CAPTCHA-solving, malware campaigns:
- piupiu-110809 .com - 85.234.141.92
- xtsd20090815 .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com
- boomer-110809 .com - 85.234.141.92
- upr200908013 .com - 85.234.141.92 - Email: kfmnmkswrnkcxlgpfdxb68@gmail.com
- suz11082009 .com - 85.234.141.92 - Email: xxmgbtwgdhyv@gmail.com
- upr0306 .com - 221.5.74.46 China Unicom Guangdong province network - Email: bigvillyxxx@gmail.com
- findhereandnow .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com

The CAPTCHA solving  process on behalf of the infected victims, is exclusively targeting Google web properties (piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754a519194.jpg). Koobface worm's captcha7.dll module is active at:
- glavnij20090809 .com/cap/?a=get&i=1&v=7
- suz11082009 .com/cap/?a=get&i=3&v=7
- boomer-110809 .com/cap/?a=get&i=4&v=7
- piupiu-110809 .com/cap/?a=get&i=2&v=7


BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest market share of systematic Web 2.0 abuse

Related posts:
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot 

This post has been reproduced from Dancho Danchev's blog.