Saturday, December 26, 2009

The Koobface Gang Wishes the Industry "Happy Holidays"

Oops, they did it again - the Koobface gang, which is now officially self-describing itself as Ali Baba and the 40 Thieves LLC, has not only included a Koobface-themed -- notice the worm in the name -- background on Koobface-infected hosts, but it has also included a "Wish Koobface Happy Holidays" script -- last time I checked there were 10,000 people who clicked it -- followed by the most extensive message ever left by the gang, which is amusingly attempting to legitimize the activities of the gang.

In short, the message with clear elements of PSYOPS, attempts to position the Koobface worm as a software, where the new features are requested by users, and that by continuing its development, the authors are actually improving Facebook's security systems. For the record, the Koobface botnet itself is only the tip of the iceberg for the malicious activities the group itself is involved in. Consider going through the related Koobface research posts featured at the bottom of the post, in order to grasp the importance of how widespread and high-profile the activities of this group are. The exact message, screenshot of which is attached reads:

Our team, so often called "Koobface Gang", expresses high gratitude for the help in bug fixing, researches and documentation for our software to:
  • Kaspersky Lab for the name of Koobface and 25 millionth malicious program award;
  • Dancho Danchev ( who worked hard every day especially on our First Software & Architecture version, writing lots of e-mails to different hosting companies and structures to take down our Command-and-Control (C&C) servers, and of course analyzing software under VM Ware;
  • Trend Micro (, especially personal thanks to Jonell Baltazar, Joey Costoya, and Ryan Flores who had released a very cool document (with three parts!) describing all our mistakes we've ever made;
  • Cisco for their 3rd place to our software in their annual "working groups awards";
  • Soren Siebert with his great article; 
  • Hundreds of users who send us logs, crash reports, and wish-lists.
In fact, it was a really hard year. We've made many efforts to improve our software. Thanks to Facebook's security team - the guys made us move ahead. And we've moved. And will move. Improving their security system.

By the way, we did not have a cent using Twitter's traffic. But many security issues tell the world we did. They are wrong. As many people know, "virus" is something awful, which crashes computers, steals credential information as good as all passwords and credit cards. Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And WILL NOT EVER. As for the crashes... We are really sorry. We work on it :) Wish you a good luck in new year and... Merry Christmas to you!

Always yours, "Koobface Gang

For the record, in case you were living on the other side of the universe, and weren't interested in the raw details taking place within the underground ecosystem, in July, 2009, I was the only individual ever mentioned by the Koobface gang, which back then included the following message within the command and control infrastructure for 9 days:
  • "We express our high gratitude to Dancho Danchev ( for the help in bug fixing, researches and documentation for our software."
Next to the folks at TrendMicro, the DHS also featured the event in DHS Daily Open Source Infrastructure Report for 3 September 2009 at page 18:
  • "This individual is an independent security consultant who plays an active role in tracking and shutting down botnets and other illegal operations."
It got ever more personal when the Koobface gang redirected Facebook's entire IP space to my blog in October, 2009, resulting in thousands of Facebook visits every time their crawlers were visiting a Koobface-infected host. Thankfully, Facebook's Security Incident Response Team quickly took care of the issue.

In the spirit of Christmas, I'd also like to wish the Koobface gang happy holidays, and promise them that the cherry on the top of the research pie will see daylight anytime soon. First of all, I'd like to wish them happy holidays with Frank Sinatra - "I've got you under my skin". They'll get the point.

And now comes my Christmas present, systematic take-down, blacklisting, and domain suspension of Koobface scareware operations.

Sample detection rates by Koobface binaries - go.exe; fb.79.exe; fblanding.exe; v2captcha.exe; v2webserver.exe; pack_312s3.exe (the scareware). The currently active artificial2010 .com/?pid=312s02&sid=4db12f - Email: - - AS34305; EUROACCESS Global Autonomous System acts as a redirector to the scareware domain portfolio.

Currently active portfolio of scareware domains pushed by the Koobface botnet, parked at
2010scannera1 .com - Email:
artificial2010 .com - Email:
bestdiscounts2010 .com - Email:
bestparty2009 .com - Email:
bestparty2010 .com - Email:
bestpffers2010 .com - Email:
best-wishes-design .com - Email:
bestyearparty .com - Email:
celebrate2009year .com - Email:
celebrate-designs .com - Email:
happy-newyear2010 .com - Email:
internetproscanm .com - Email:
internetproscanq .com - Email:
internetproscanr .com - Email:
internetproscanw .com - Email:
internetproscany .com - Email:
megascannera .com - Email:
megasecurityl .com - Email:
megasecurityp .com - Email:
megasecurityq .com - Email:
newholidaydesigns .com - Email:
newyearandsanta .com - Email:
newyeardesgings .com - Email:
onlinesecurityn1 .com - Email:
onlinesecurityn2 .com - Email:
onlinesecurityn3 .com - Email:
onlinesecurityn4 .com - Email:
onlinesecurityn5 .com - Email:
online-securtiyv1 .com - Email:
online-securtiyv4 .com - Email:
online-securtiyv5 .com - Email:
onlineviruskilla0 .com - Email:
onlineviruskilla2 .com - Email:
onlineviruskilla4 .com - Email:
onlineviruskilla6 .com - Email:
onlineviruskilla8 .com - Email:
santa-christmas2010 .com - Email:
snowandchristmas .com - Email:
thebestantispys .com - Email:

Christmas-themed scareware serving domains:
happy-newyear2010 .com
celebrate2009year .com
newyearandsanta .com
newyeardesgings .com
santa-christmas2010 .com
snowandchristmas .com

Speaking of AS34305; EUROACCESS Global Autonomous System, they're also hosting scareware campaigns at another IP - in particular:
pcprotect2010 .com - Email:
bestantispysoft2010 .com - Email:
worldantispyware1 .com - Email:
antispyware24x7 .com - Email:
spydetector2009 .com - Email:
myprivatesoft2009 .com - Email:
itsafetyonline .com - Email:
antispycenterprof .com - Email:
webspydetectunlim .com - Email:
pcsafetyplatinum .com - Email:
spywaredetect24pro .com - Email:
eliminater2009pro .com - Email:
pcsafety2009pro .com - Email:
securityztop .com - Email:
antisspywarescenter .com - Email:
viridentifycenter .com - Email:
antispywarets .com - Email:
winvantivirus .com - Email:
antispywaresnet .com - Email:
securityprosoft .com - Email:
onlineantispysoft .com - Email:
worldsantispysoft .com - Email:
antispyworldwideint .com - Email:
ivirusidentify .com - Email:

Within the same ASN, we can also find the following Zeus crimeware serving domains, courtesy of the Zeus Tracker:
print-design .cn - Email:
backup2009 .com - Email: - association with money mule recruitment domain registration
1211news .com - Email:
tuttakto .com - Email:
filatok .com - Email:
wwwldr .com - Email:
bbbboom .com - Email:
fant1k .com - Email:
hoooools .com - Email:
ianndex .com - Email:
vklom .com - Email:
wwwbypost .com - Email:
wwwudacha .com - Email:

Sampled scareware phones back to:
ardeana-couture .com/?b=1s1 -, parked there is also windowssp3download .com - Email:
winrescueupdate .com/download/winlogo.bmp -

Historically, (AS29073-ECATEL-AS, Ecatel Network) used to host the following scareware domains:
attention-scanner .com - Email:
be-secured2 .com - Email:
best-scanner-f .com - Email:
get-secure2 .com - Email:
installprotection2 .com - Email:
online-defense7 .com - Email:
scan-spyware2 .com - Email:
topscan2 .com - Email:
topscan3 .com - Email:
virus-pcscan .com - Email:
win-scan05 .com - Email:
win-scan07 .com - Email:
win-scan09 .com - Email:
winrescueupdate .com
winscanner01 .com - Email:
winscanner18 .com - Email:
your-protection8 .com - Email:

Happy Holidays, too!

Related Koobface research published in 2009:
Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline
Koobface Botnet Starts Serving Client-Side Exploits
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Koobface Botnet's Scareware Business Model - Part Two
Koobface Botnet's Scareware Business Model - Part One
Koobface Botnet Redirects Facebook's IP Space to my Blog
New Koobface campaign spoofs Adobe's Flash updater
Social engineering tactics of the Koobface botnet
Koobface Botnet Dissected in a TrendMicro Report
Movement on the Koobface Front - Part Two
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign

This post has been reproduced from Dancho Danchev's blog.