Wednesday, October 21, 2009

Koobface Botnet Redirects Facebook's IP Space to my Blog



Love me, love me, say that you love me. You know you're cherished when the Koobface botnet redirects Facebook Inc's entire IP space to your blog using HTTP Error 302 - Moved temporarily messages in an attempt to have Facebook's anti-malware crawlers hit my blog every time they visit a Koobface URL posted on the social networking site.


The result? Earlier this morning, I've noticed over 7,000 unique visits coming from Facebook Inc's IP space using active and automatically blogspot accounts part of the Koobface botnet as http referrers (New Koobface campaign spoofs Adobe's Flash updater), which is now officially relying on already infected hosts for the CAPTCHA recognition process. At first, I thought the Koobface gang has embedded an iFrame in order to achieve the effect, but the requests were coming from Facebook's IP space only.

A representative from Facebook's Security Incident Response Team just confirmed the development, and commented that they've added an exception, which is now visible since IPs from Facebook's IP space are no longer visiting my blog:

"Thanks for bringing this to our attention. I'm on the Security Incident Response team at Facebook and we just finished looking into this issue. We visit all links posted to Facebook as part of our link preview feature. We also take the opportunity to do some additional security screening to filter out bad content. Koobface in particular is fond of redirecting our requests to legitimate websites, and you seem to have done something to piss Koobface off. All visits to Koobface URLs from our IP space are currently being redirected to your blog."

The compete list of the automatically registered blogspot accounts, of whose existence Google's security team has already been notified are as follows:
1rykutviklingibtvedmongstad-vgnett .blogspot.com/
40-nrg .blogspot.com/
anyauujteykbrlzyt .blogspot.com/
bctdnvxyubozkute336 .blogspot.com/
bjfzibzxpjwfsri.blogspot .com/
bopscfmfdfkdcdk.blogspot .com/
bpucrtkuigcvuzd.blogspot .com/
dcljxlmkdpfyadlmk014.blogspot .com/
driwnhtqcifnewwy.blogspot .com/
fffgxdpmrhzepmwc172.blogspot .com/
frjutygrfzkfmumr.blogspot .com/
gbmasakrnbvduky-mhopomuytpmeo46.blogspot .com/
hmxmjrdpzncnania.blogspot .com/
hryuickbrfxpgkiqc-wnyohlytffli526.blogspot .com/
hxsdrjrbiesmulbp-mp775012.blogspot .com/
hz560607.blogspot .com/
irfwgrbghyzrnaajs-npqpnvzqrqqeziywhx8.blogspot .com/
isaqwpccpkvmmnffx.blogspot .com/
iunvrafuvbgykpap819.blogspot .com/
ixqowmtgwfvkaapq.blogspot .com/
jocdniqudpnszswn936.blogspot .com/
jxpxhokysarhvnfw-wvtbfawtlocf932 .blogspot.com/
kayaafwlllybvydpu.blogspot .com/
kfddbjhalrqkmqtoa.blogspot .com/
kutlvtfxkxbismwpci.blogspot .com/
kyqyiplztbsiwogx-hfnrmfxbkjzswjq964.blogspot .com/


kzbcbzhlgcnmmaveusdt2.blogspot .com/
lbwhvnvfmiwqypft-gt34676.blogspot .com/
lgjxsfcwkviythet.blogspot .com/
lvlcauoimpklqoj.blogspot .com/
moruokuamhtobznhwx.blogspot .com/
nfnnialisemtirdcq.blogspot .com/
pfmrjjvolrxsthdl.blogspot .com/
pywkyzxqcslnqyz907.blogspot .com/
qmhbxydgxfitnaosp.blogspot .com/
rfsnkstagwfwlkgr.blogspot .com/
rykutviklingibtvedmongstad-vgnett .blogspot.com/
scjftnvmcqiarvt-ni242558.blogspot .com/
skpjwfruzkzujvw.blogspot .com/
spfymrxnfiotvtrknf.blogspot .com/
sxcfugyjtvtwgxzvi.blogspot .com/
tbgkfbllzdtrcslpc741.blogspot .com/
unrrldfyuanstafa.blogspot .com/
vstikrflawgquztcn.blogspot .com/
wjfpuoiolcjvecszeb.blogspot .com/
wlaafuebvmdkaiavh.blogspot .com/
wnejhokyqkazwpu898.blogspot.com/
wqqcknikrlnowgri.blogspot .com/
xlmwrzdmywbibfwi742.blogspot .com/
yanksroadwinchangesalcsoutlook-mlbcom .blogspot.com/
yeqhabdnabhndbt.blogspot .com/
yzyweidzwor-cxgwufvosfam .blogspot.com/
zafxzlatzsmwysk.blogspot .com/
znfnxeaoiqhxldvmqo-atcsqbrkobwi408 .blogspot.com/
zqsvjeoqccknkfubc.blogspot .com/



The Koobface gang's use of basic blackhat SEO principles such as content cloaking are identical to their previous attempts to cover-up their malicious activities relying on pre-defined sets of http referrers of public search engines, or particular redirectors in order for their infections to take place.

Stay tuned for more developments on the Ali Baba and the 40 thieves LLC front, a.k.a as my Ukrainian "fan club". The circle is almost complete, a lot of recent events will be summarized shortly.

Related posts:
Koobface Botnet Dissected in a TrendMicro Report
Koobface Botnet's Scareware Business Model
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors 

This post has been reproduced from Dancho Danchev's blog.