UPDATE13:
The domain
snimka31082009 .com has been suspended. Just like the domains listed in UPDATE11, it's worth pointing out that once the PrivacyProtect.org whois records return to their original state, all of the domains are registered using the name Rancho Ranchev -- from Ukraine with typosquatting.
UPDATE12: A new Koobface domain is in circulation across Facebook -
snimka31082009 .com -- snimka means photo -- which redirects to the Chinese IP (
China Railcom Guangdong Shenzhen Subbranch) offering hosting services for the Koobface gang as of last week -
61.235.117.83 /redirectsoft/go/fb_w.php. The
snimka31082009.com domain is in a process of getting shut down.
UPDATE11: The latest Koobface domains
masa31082009 .com - Email: yxlvpewoztjox@gmail.com;
pari270809 .com - Email: baoyshzrcwmraq@gmail.com;
rect08242009 .com and
suz11082009 .com have been suspended.
The Koobface gang has also changed the C&C domain in their latest updated pushed throughout the past couple of days. Interestingly, it's a
subdomain used in the Twitter campaign from July -
cubman32 .net.ua/.sys/?action=ldgen&v=14 and
cubman32 .net.ua/.sys/?action=ldgen&f=0&a=-531027389&lang=&v=14&c=0&s=ld&l=1000&ck=0&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_fr=-2&c_yb=-2&c_tg=0&c_nl=0&c_fu=-2.
UPDATE10: Two new Koobface domains, and a new redirector are in circulation across Facebook -
rect08242009 .com (61.235.117.83)
and
pari270809 .com, which redirects to
masa31082009 .com/go/fb_w.php. The "
fan club" has also introduced updated the malware - web.reg .md/1/
v2prx.exe.
The domains,
pari270809 .com, rect08242009 .com and
masa31082009 .com are in a process of getting shut down.
UPDATE9: Domain
zadnik270809 .com - Email: baoyshzrcwmraq@gmail.com has been suspended.
UPDATE8:
Koobface reactivated itself once again at
61.235.117.83 -
China Railcom Guangdong Shenzhen Subbranch - a well known Zeus crimeware C&C, which is also apparently used for automatic hacking of third-party sites through
compromised FTP accounts.
The gang has also introduced a new domain, used exclusively for Facebook campaigns -
zadnik270809 .com - in particular
zadnik270809 .com/youtube.com/w/?video which loads
zadnik270809 .com/youtube.com/w/ups.php and redirects to a well known Koobface redirector
kiano-180809 .com/go/fb_w.php.
Zadnik means a**hole. Domain suspension and IP take down are in progress.
UPDATE7: Earlier today, TelosSolutions confirmed that "
this customer has been removed from our network".
Great news taking into consideration the fact that Directi's Abuse Desk has also suspended
boomer-110809 .com, as well as
upr200908013 .com.
The Koobface gang responded to the take down action by once again moving to China,
61.235.117.83 (China Railcom Guangdong Shenzhen Subbranch) in particular. The IP has been taken care of, with all of Koobface campaigns once again in an "inactive stage". It's worth pointing out that
kallagoon13 .cn and
allavers .org are also parked at this Chinese IP, with
both domains clearly involved in
Zeus crimeware campaigns.
UPDATE6: Following the 24 hours downtime, the Koobface gang has found a new home online, courtesy of Telos-Solutions-AS/Telos Solutions LTD, with an ongoing migration of the Koobface C&C and campaign domains to
91.212.127.140. Take down activities are in progress.
UPDATE5: Oc3 Networks & Web Solutions Llc abuse team
took care of
67.215.238.178. All of Koobface worm's campaigns once again redirect to nowhere.
UPDATE4: Koobface has been kicked out of China -- again -- courtesy of China's CERT, and is no longer responding to
221.5.74.46. This is the second time that
the Koobface gang is using the same IP for its central campaign domains, clearly indicating an ISP which "reserves its right to offer them services in the future once they stop receiving abuse notifications".
So which hosting provider's services is
the Koobface botnet using for the time being? It's
67.215.238.178 - AS22298 - Netherlands Distinctio Ltd, which they were also using in the beginning of the month. A
new domain is in circulation across social networks/micro blogging services -
kiano-180809 .com/go/fb2.php (67.215.238.178) Email: bigvillyxxx@gmail.com. Take down activities are in progress.
UPDATE3:
The entire portfolio of Koobface related domains is now parked at
221.5.74.46 - AS17816 - CHINA169-GZ CNCGROUP IP network China169 Guangzhou MAN. For instance,
xtsd20090815 .com/youtube.com/xexe.php redirects to the actual IP
221.5.74.46 /redirectsoft/go/fb2.php with piupiu-110809.com/achcheck.php,
web.reg.md /1/prx90.exe and
web.reg.md/1 /prx90.exe as phone back locations. Two new components are dropped
DDnsFilter.dll - MD5: 0x8904BCEBACB2B878FF46C5EB0C5C57EB and
DnsFilter.sys - MD5: 0x30DD915396E46824DA92FE70485F7CF8 which
prevent infected users from interacting with antivirus vendor sites.
UPDATE2:
The gang has responded to the take down activities, by using the only IP that wasn't shut down 221.5.74.46, with
piupiu-110809 .com,
upr200908013 .com, and
upr200908013 .com already moved there.
Interestingly, now that the gang's centralized domains used in the majority of campaigns are not responding thanks the quick reaction of BlueConnex, they've started embedding up to 15 iFrames directly loading IPs from the Koobface botnet. The script is detected as Trojan-Clicker.HTML.IFrame.a. The pattern? Each and every host is serving the fake Facebook page from a similar directory - /0x3E8/. 221.5.74.46 is in a process of getting shut down.
UPDATE: Three hours after notification, Blue Square Data Group Services Limited ensures that "
the customer has been disconnected permanently". It's a fact. All of Koobface worm's campaigns currently redirect to nowhere. Let's see for how long.
Kuku Ruku Koobface! What does Koobface has to do with a legendary cocoa cream wafer
Koukou Roukou sold in the 90's? It's one of new domains introduced over the past seven days (
kukuruku-290709 .com now offline thanks to community efforts).
What is the
Koobface gang up to
anyway? Despite that they've randomized the automatically generated directories on the compromised sites (
kimchistory.freevar .com/fantasticfi1ms;
tastemasters .ca/freeem0vie;
simonsoderberg .se/mmym0vies;
ekespangs .se/meggavide0;
akesheronline .com/privalesh0w;
belljarstudio .com/bestttube), the gang continues relying on centralized hosting for its campaigns.
During the week, they've migrated from
67.215.238 .178/redirectsoft/go/fb_s.php (PacificRack.com) to
85.234.141 .92/redirectsoft/go/fb_s.php (BlueConnex Ltd), interestingly, they did so with all of the their currently active domains, the ones used as central redirection points on the thousands of legitimate/malicious sites participating in their campaigns. Interestingly, merely suspending a domain name wouldn't get you
a personal greeting from the Koobface gang, since they'll basically register a new one. Getting them kicked out of several different hosting providers simultaneously would. Upon having their newly pushed domains shut down, the gang stopped using domains and switched to the original IP of their hosting provider, once again requiring a direct ISP action, instead of domain registar's one.
Koobface C&C, central malware campaign domains suspended through community efforts:
- glavnij20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92
- kukuruku-290709 .com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92
- superturbo20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (
Super Turbo is yet another legendary product sold in the 90's)
- bombimbom20090809 .com - Email: bigvillyxxx@gmail.com was parked at 85.234.141.92 (
Bombi Bom is also a classic chewing gum sold in the 90's in Europe/Eastern Europe)
- mishkigammy-060809.com - Email: kuku.ruku.pam@gmail.com was parked at 85.234.141.92
Currently active Koobface C&C domains, also participating in the CAPTCHA-solving, malware campaigns:
- piupiu-110809 .com - 85.234.141.92
- xtsd20090815 .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com
- boomer-110809 .com - 85.234.141.92
- upr200908013 .com - 85.234.141.92 - Email: kfmnmkswrnkcxlgpfdxb68@gmail.com
- suz11082009 .com - 85.234.141.92 - Email: xxmgbtwgdhyv@gmail.com
- upr0306 .com - 221.5.74.46 China Unicom Guangdong province network - Email: bigvillyxxx@gmail.com
-
findhereandnow .com - 85.234.141.92 - Email: bigvillyxxx@gmail.com
The CAPTCHA solving process on behalf of the infected victims, is exclusively targeting Google web properties (
piupiu-110809 .com/cap/tempgoo/GOO8cdabdfe8d68013c6217ce754a519194.jpg). Koobface worm's captcha7.dll module is active at:
- glavnij20090809 .com/cap/?a=get&i=1&v=7
- suz11082009 .com/cap/?a=get&i=3&v=7
- boomer-110809 .com/cap/?a=get&i=4&v=7
- piupiu-110809 .com/cap/?a=get&i=2&v=7BlueConnex Ltd has been notified. The Koobface gang continues enjoying the largest market share of systematic Web 2.0 abuse
Related posts:Movement on the Koobface FrontKoobface - Come Out, Come Out, Wherever You Are Dissecting Koobface Worm's Twitter CampaignDissecting the Koobface Worm's December Campaign Dissecting the Latest Koobface Facebook Campaign The Koobface Gang Mixing Social Engineering VectorsUkrainian "fan club" and the Koobface connection: Dissecting a Swine Flu Black SEO CampaignMassive Blackhat SEO Campaign Serving ScarewareFrom Ukrainian Blackhat SEO Gang With LoveFrom Ukrainian Blackhat SEO Gang With Love - Part TwoFrom Ukraine with Scareware Serving Tweets, Bogus LinkedIn/Scribd Accounts, and Blackhat SEO FarmsFrom Ukraine with Bogus Twitter, LinkedIn and Scribd AccountsFake Web Hosting Provider - Front-end to Scareware Blackhat SEO Campaign at Blogspot This post has been reproduced from Dancho Danchev's blog.
Continue reading →
RSS Feed