UPDATE13: The domain snimka31082009 .com has been suspended. Just like the domains listed in UPDATE11, it's worth pointing out that once the PrivacyProtect.org whois records return to their original state, all of the domains are registered using the name Rancho Ranchev -- from Ukraine with typosquatting.
UPDATE12: A new Koobface domain is in circulation across Facebook - snimka31082009 .com -- snimka means photo -- which redirects to the Chinese IP (China Railcom Guangdong Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week - 22.214.171.124 /redirectsoft/go/fb_w.php. The snimka31082009.com domain is in a process of getting shut down.
UPDATE11: The latest Koobface domains masa31082009 .com - Email: firstname.lastname@example.org; pari270809 .com - Email: email@example.com; rect08242009 .com and suz11082009 .com have been suspended.
The Koobface gang has also changed the C&C domain in their latest updated pushed throughout the past couple of days. Interestingly, it's a subdomain used in the Twitter campaign from July - cubman32 .net.ua/.sys/?action=ldgen&v=14 and cubman32 .net.ua/.sys/?action=ldgen&f=0&a=-531027389&lang=&v=14&c=0&s=ld&l=1000&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2.
UPDATE10: Two new Koobface domains, and a new redirector are in circulation across Facebook - rect08242009 .com (126.96.36.199) and pari270809 .com, which redirects to masa31082009 .com/go/fb_w.php. The "fan club" has also introduced updated the malware - web.reg .md/1/v2prx.exe.
The domains, pari270809 .com, rect08242009 .com and masa31082009 .com are in a process of getting shut down.
UPDATE9: Domain zadnik270809 .com - Email: firstname.lastname@example.org has been suspended.
The gang has also introduced a new domain, used exclusively for Facebook campaigns - zadnik270809 .com - in particular zadnik270809 .com/youtube.com/w/?video which loads zadnik270809 .com/youtube.com/w/ups.php and redirects to a well known Koobface redirector kiano-180809 .com/go/fb_w.php.
Zadnik means a**hole. Domain suspension and IP take down are in progress.
UPDATE7: Earlier today, TelosSolutions confirmed that "this customer has been removed from our network". Great news taking into consideration the fact that Directi's Abuse Desk has also suspended boomer-110809 .com, as well as upr200908013 .com.
The Koobface gang responded to the take down action by once again moving to China, 188.8.131.52 (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has been taken care of, with all of Koobface campaigns once again in an "inactive stage". It's worth pointing out that kallagoon13 .cn and allavers .org are also parked at this Chinese IP, with both domains clearly involved in Zeus crimeware campaigns.
UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the Koobface C&C and campaign domains to 184.108.40.206. Take down activities are in progress.
UPDATE5: Oc3 Networks & Web Solutions Llc abuse team took care of 220.127.116.11. All of Koobface worm's campaigns once again redirect to nowhere.
UPDATE4: Koobface has been kicked out of China -- again -- courtesy of China's CERT, and is no longer responding to 18.104.22.168. This is the second time that the Koobface gang is using the same IP for its central campaign domains, clearly indicating an ISP which "reserves its right to offer them services in the future once they stop receiving abuse notifications".
UPDATE3: The entire portfolio of Koobface related domains is now parked at 22.214.171.124 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN. For instance, xtsd20090815 .com/youtube.com/xexe.php redirects to the actual IP 126.96.36.199 /redirectsoft/go/fb2.php with piupiu-110809.com/achcheck.php, web.reg.md /1/prx90.exe and web.reg.md/1 /prx90.exe as phone back locations. Two new components are dropped DDnsFilter.dll - MD5: 0x8904BCEBACB2B878FF46C5EB0C5C57EB and DnsFilter.sys - MD5: 0x30DD915396E46824DA92FE70485F7CF8 which prevent infected users from interacting with antivirus vendor sites.
Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer Koukou Roukou sold in the 90's? It's one of new domains introduced over the past seven days (kukuruku-290709 .com now offline thanks to community efforts).
What is the Koobface gang up to anyway? Despite that they've randomized the automatically generated directories on the compromised sites (kimchistory.freevar .com/fantasticfi1ms; tastemasters .ca/freeem0vie; simonsoderberg .se/mmym0vies; ekespangs .se/meggavide0; akesheronline .com/privalesh0w; belljarstudio .com/bestttube), the gang continues relying on centralized hosting for its campaigns.
Koobface C&C, central malware campaign domains suspended through community efforts:
- glavnij20090809 .com - Email: email@example.com was parked at 188.8.131.52
- kukuruku-290709 .com - Email: firstname.lastname@example.org was parked at 184.108.40.206
- superturbo20090809 .com - Email: email@example.com was parked at 220.127.116.11 (Super Turbo is yet another legendary product sold in the 90's)
- bombimbom20090809 .com - Email: firstname.lastname@example.org was parked at 18.104.22.168 (Bombi Bom is also a classic chewing gum sold in the 90's in Europe/Eastern Europe)
- mishkigammy-060809.com - Email: email@example.com was parked at 22.214.171.124
- piupiu-110809 .com - 126.96.36.199
- xtsd20090815 .com - 188.8.131.52 - Email: firstname.lastname@example.org
- boomer-110809 .com - 184.108.40.206
- upr200908013 .com - 220.127.116.11 - Email: email@example.com
- suz11082009 .com - 18.104.22.168 - Email: firstname.lastname@example.org
- upr0306 .com - 22.214.171.124 China Unicom Guangdong province network - Email: email@example.com
- findhereandnow .com - 126.96.36.199 - Email: firstname.lastname@example.org
The CAPTCHA solving process on behalf of the infected victims, is exclusively targeting Google web properties (piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754a519194.jpg). Koobface worm's captcha7.dll module is active at:
- glavnij20090809 .com/cap/?a=get&i=1&v=7
- suz11082009 .com/cap/?a=get&i=3&v=7
- boomer-110809 .com/cap/?a=get&i=4&v=7
- piupiu-110809 .com/cap/?a=get&i=2&v=7
BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest market share of systematic Web 2.0 abuse
Movement on the Koobface Front
Koobface - Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors
Ukrainian "fan club" and the Koobface connection:
Dissecting a Swine Flu Black SEO Campaign
Massive Blackhat SEO Campaign Serving Scareware
From Ukrainian Blackhat SEO Gang With Love
From Ukrainian Blackhat SEO Gang With Love - Part Two
From Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO Farms
From Ukraine with Bogus Twitter, LinkedIn and Scribd Accounts
Fake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot
This post has been reproduced from Dancho Danchev's blog.