Wednesday, July 22, 2009

Koobface - Come Out, Come Out, Wherever You Are

UPDATE2: New binaries are hosted at web.reg .md/1/pdrv.exe; web.reg .md/1/pp.10.exe and at web.reg .md/1/fb.49.exe.

UPDATE: The Koobface gang is upgrading the command and control infrastructure in response to the positive ROI out of the takedown activities. This of course doesn't mean that enough evidence on "who's who" behind Koobface and a huge percentage of the currently active malware campaigns targeting Web 2.0 properties hasn't been gathered already.

Especially now that it's apparent we know each other's names. A recent Koobface update includes the following message: (thanks to TrendMicro for pinging me) : 

We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software.

The ROI of several abuse notices during the weekend, quick response from China's CERT which took care of 61.235.117.71 (thanks Patrick!), and Oc3 Networks & Web Solutions Llc abuse team which took care of the Koobface activity at 98.143.159.138 -- cgpay-re-230609 .com still responds to the IP -- looks pretty positive and managed to increase the opportunity cost for the Koobface gang since it caused them some troubles during the weekend.

With Koobface worm's Twitter campaign currently in a stand by mode due to the publicity it attracted, as well as the fact that the central redirection points used in the campaign are down, let's assess the current Koobface hosting infrastructure, with an emphasis on UKSERVERS-MNT (AS42831) which stopped responding to abuse notifications as of Sunday.

How did the Koobface gang/fan club responded to the downtime anyway? By introducing several new domains, and parking them at 78.110.175.15 - UKSERVERS-MNT (AS42831), whose abuse department remains unreachable ever since.

Following the first abuse notice sent to UKSERVERS-MNT the company temporarily closed the account (78.110.175.15) of the "customer", then brought it back online. Asked why, they responded that the "customer" claimed he's been compromised and that he needs to clean up the mess and secure the server.  In reality that means "give us some time to smoothly update DNS records and migrate operations now that all of our command and control locations are offline".

Since they presumed I don't take lying personally, half an hour later I checked again and the Koobface command and control servers were operational again. The company forwarded the responsibility to the customer and said they closed down the account.

However, what the Koobface gang did was to register a new domain and use it as Koobface C&C again parked at the same IP, which remains active - zaebalinax .com Email: krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax .com/the/?pid=14010 which is redirecting to the Koobface botnet. Two more domains were also registered and parked there, u15jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand by mode at least for the time being.

Upon execution the Koobface binary phones back to upr0306 .com/achcheck.php; upr0306 .com/ld/gen.php (78.110.175.15) and attempts to download upload.octopus-multimedia .be/1/pdrv.exe; upload.octopus-multimedia .be/1/pp.10.exe.

UKSERVERS-MNT (AS42831) is also known with its connections to gumblar.cn malware campaigns, as well as having hosted a domain (supernerd.org) part of a Photobucket malvertising campaign.

Related posts:
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign 
The Koobface Gang Mixing Social Engineering Vectors

This post has been reproduced from Dancho Danchev's blog.