msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Web of Koobface

   27 Feb 10   Filed in Website exploits

This research is provoked by the following blogpost of Joshua Long where he lists domain names used by Koobface. Generally, I focus on website hacks and don’t research malware distributed via email spam and social networks (Koobface is an anagram of Facebook). However that list showed me how legitimate hacked sites were integrated into Koobface scheme and I decided to try to investigate how the whole thing worked.

Joshua’s list was a good starting point. I saw multiple rogue blogspot blogs that followed the same pattern and multiple compromised sites where those blogs redirected to. For some reason, most of the functionality of the malicious pages on the hacked sites is implemented as a client-side JavaScript, so I could easily retrieve and analyze those scripts. They provided me with very interesting details about the internals of the attack: sites it expected as referrers and usage of infected PCs. As a result I came up to the following scheme:

Koobface Attack Flow

Flow of the attack

Most people first meet the Koobface when they receive a message with a link to some video from someone they know. It’s either a message from a friend in Facebook or some other social network, or a DM in Twitter. To make the link less suspicious criminals use URL shorteners like bit.ly, tinyurl.com, etc. This is a normal practice on Twitter where messages are limited to 140 characters. For not-Twitter users such links will also be less suspicious than something like “hxxp://www.sfighters .yoyo .pl/ freevideo/?go”, especially when the link is received from a friend.

Another vector is poisoned search results that lead to rogue blogspot blogs that, in turn, redirect visitors to a hacked third party site that coordinates the malicious action.

That site can choose either choose the infection path or the direct monetization path.

Infection path

In case of the infection path, the user is redirected to a specifically crafted web page on one of already infected computers. This page takes into account the site where the user clicked on the malicious link (it may look like YouTube or Facebook). Generally it’s a web page with a “video” that requires additional download (player/codec update). This download is a trojan that seems to be used to download the rest malicious files and turn the use computer into a zombie. Among other bad things, infected PCs help the Koobface propagation:

  • they send out message with malicious links to users’ contacts in social networks
  • they host fake video pages
  • they steal FTP credentials from users’ websites (if they happen to be webmasters) and then create rogue web pages there.

It shouldn’t be a surprise that after such a download the video won’t play. And when disappointed users close the page, they see another window saying that their computer is infected (this time it doesn’t lie) and they should download a security program (that is just another trojan) that will “fix” the problem. This happens because the fake video pages have an “onunload” even handler that opens a scareware site when people leave that page. This helps increase the infection rate and monetize the traffic via affiliate relationships with fake AV vendors.

Monetization path

Sometimes the sites that coordinate the attack flow decide to choose the monetization path right away and redirect users to a proxy site (when I checked it was 61 .235 .117 .83) that selects a proper affiliate link: adult dating sites, pirated video download sites, etc.

Rogue blogs

An interesting part of this attack scheme is rogue blogspot blogs. They all look the same and definitely auto-generated.

Here are their distinguishing features:

1. A single post that consists of a news headline (presumably from Google News), for example: “Two journalists released in Somalia – CNN International” or “Obamas’ affection for Hawaii means better times for state – USA Today“. This headline is both the blog title and the title of the only post. The post itself is empty.

2. The addresses of such blogs are composed of several words that resemble names (probably parts of stolen user credentials). E.g. demontlucavincenzo .blogspot.com, jacekjacekroys .blogspot.com, jamaldboeding .blogspot.com, britnymccarville .blogspot.com.

3. The blogs are the only blogspot blogs of their users (One Blogger user -> one blog -> one blogpost). They don’t create multiple blogs under the same account (otherwise they can all be easily detected and shut down).

4. They use different default languages for each blog. You can see blogs with user interface in English, Dutch, Chinese, Arabic, Russian, Greek, Hebrew, Turkish, etc. At the same time blog titles (news headlines) are always in English.

5. And the key feature is the script in the <head> section of their HTML that redirects visitors with enabled JavaScript to an intermediary attack site. The script usually starts with something like this:

c3f7db='do';d2beef91="canuqnkmfji".replace(/[anqkfji]+/g,"");eb79c7d9='ent.r'; ...

and is generally well detected by Unmask Parasites.

It is clear that the blogs are automatically generated. Probably the CAPTCHA-breaking function of Koobface trojans is used to automatically create multiple Blogger accounts.

The nature of the blogs’ content makes me think that their primary purpose is search results poisoning. Publishing headlines of breaking news when there’s not much relevant legitimate content exists, they expect their blogs will be ranked high enough (at least for a short time) for the news related searches. Given how many people use search engines to find details about hot news topics, this may be a working approach.

However only people from Blogger can says how successful for hackers this approach is. I tried to search for headlines that appear on Google News but couldn’t find the infected blogs (is this vector still active?). On the other hand I’ve easily found a couple a big farms of spammy blogspot blogs that used the same trick.

Anyway, I was able to identify several hundred Koobface rogue blogs (and the hacked sites they redirect to) using Google’s Safe Browsing Diagnostic pages. For example if you check the diagnostic page for any known infected blog (e.g. britnymccarville .blogspot .com ) and then click on the links for sites reported as hosting malware (the IP addresses belong to infected PC and domain names to hacked legitimate sites), you will see more infected blogspot blogs on subsequent pages.

Checking the blacklisted blogs that still exist, I found the earliest dates they have (the dates of blogposts) are in the second half of November 2009 and the most recent are in this February. Maybe it’s just a coincidence, but this period almost exactly matches the sharp increase in number of reported malicious URLs on Google’s network (blogspot.com blogs are a part of that network).

Reported URLs on Google network
StopBadware report: Number of Reported URLs on AS 15169 – GOOGLE – Google Inc.

If it’s not a coincidence, then Koobface is responsible for about 80% of reported malicious URLs on Google’s network.

(Thinking aloud: November dates may have something to do with the fact that Safe Browsing data is limited to the last 90 days, so I just can’t see rogue blogs that had been blacklisted before November. On the other hand, Google’s malware scanners revisit infected sites once in a while and update their status, so I still expect to see some records for sites that had been first blacklisted before the last November. If they exist.)

Some of the blogs I checked have already been shut down. I wonder why Blogger doesn’t shut down them all if they can easily obtain a list of the rogue blogs from Google’s own Safe Browsing database. (I could manually retrieve more than 300 unique Koobface blogs using only Safe Browsing diagnostic pages that provide very limited and incomplete information). These blogs are not infected legitimate blogs – they are 100% malicious and created by non-existing users. And they can be easily distinguished from any other legitimate blogs (even by a pretty simple automated scanner). Blogger, you can safely delete all those blogs and users! Why wait?

Hacked legitimate sites

Now let’s talk about the compromised legitimated sites that work as intermediaries in this attack.

Hackers create a new directory where they place their files. The malicious URL have the following structure: http://www.hacked-site.com/rogue_dir/?go

Here are some real examples (be careful):

www .uniquecreationbabies .co.za/supervids/?go
www .piratedb .net/index.htm/?go
ritmotours .com .tr/main/?go
www .sfighters .yoyo .pl/freevideo/?go

If you specify a URL without the ?go part you will see a page that contains a blurry thumbnail of a video page and a Flash file that redirects visitors to the ?go page (thanks Pob)

The ?go page consists only of one moderately obfuscated script:

KROTEG script

The first thing you see is two lists at the very top of the script. The first is a list of expected referrers:

  • facebook.com
  • tagged.com
  • friendster.com
  • myspace.com
  • msplinks.com
  • lnk.ms
  • myyearbook.com
  • fubar.com
  • twitter.com
  • hi5.com
  • bebo.com

No comments required. These are the primary places of Koobface distribution.

Infected PCs

The second list contain 20 IP addresses. This list is different on every hacked site. When I checked the IPs with DomainTools I discovered that they all belonged to different cable and broadband Internet service providers. In other words, they are IPs of regular home and office PCs.

This list is used to create 20 external scripts and load them on the fly. If a rogue web server on an infected computer is working at that moment it should respond with a URL of a fake video page that it hosts. Then, using a timer, the intermediary site checks when that URL is available and redirects people there.

Quick Q&A

Q: Why use infected PSc as malicious web servers?
A: Why not? They control thousands of infected zombie PCs that are powerful enough, have a decent Internet connection and many of them have static IPs.

Q: Why 20 IPs?
A: Remember that home PCs are not always turned on and connected to the Internet. Moreover, the malware can be removed from infected computers any time. So hackers try to connect to 20 different infected PCs at the same time to increase chances that at least one of them is ready to serve the fake video page.

Q: What happens if web servers on more than one IP will be available at the same time? Will people see more than one fake video page?
A: No. The intermediary sites wait for any redirect URL to be available. When they detect that some of the loaded (from infected PCs) scripts provided such a URL, visitors get redirected. All subsequent redirect URLs are simply discarded.

To webmasters

This post contains some important information for webmaster and I want to sum up it here.

Keep your PC clean

If you don’t want your sites to be hacked, you should keep your PCs clean from malware.

Per TrendMicro, among other bad things, Koobface installs a variant of the LDPinch trojan that steals email, IM and FTP credentials. Here is the list of the targeted FTP clients TrendMicro provides (PDF) in their Koobface review (compare it with the list I published here a few months ago):

  • Total Commander
  • cuteFTP
  • Ipswitch
  • SmartFTP
  • Coffeecup Software
  • FTP commander (Pro, Deluxe)
  • FlashFXP
  • FileZilla

So get a decent antivirus program and a Firewall that will block unauthorized network activity (e.g. trojans sending your FTP credentials to bad guys).

Try not to save passwords in FTP clients (especially in those listed above) if they don’t provide master key encryption.

If your hosting plan includes SFTP (or FTPS), switch to the secure protocol immediately and forget about FTP that sends everything (including your passwords) in plain text. Most popular FTP clients support secure protocols so this switch will be painless.

Although Koobface doesn’t use browser/plugin vulnerabilities, I still insist that you keep your whole system (OS, web browser, Java, Flash, Adobe Reader, etc.) up-to-date. There are many other web threats that exploit vulnerabilities of (even slightly) outdated software.

I recommend that you use Firefox with the NoScript extension. This plugin allows to execute only trusted scripts and active content, which makes web surfing more secure. As I showed above, Koobface actively uses JavaScript on both intermediary and fake video pages. With NoScript, you would hardly reach the pages that actually serve malicious files. Unfortunately, this extension is only available for Firefox at this time. If you know any alternatives, please leave a comment.

If your site is hacked…

If you were unlucky your site could have been hacked. Here is what you can do to detect this.

  1. Scan your server for new suspicious files and directories.
  2. Search for suspicious .swf files (especially if you don’t use Flash). In the rogue directories, hackers place a Flash file with a name like “n0ld7q.swf
  3. Search for files that contain this string: KROTEG. I see it at the top of the main script on every compromised (by Koobface) site.

Google’s malware warnings

If your site is blacklisted by Google and you don’t know why (you can’t find anything wrong in your web pages), check the Safe Browsing diagnostic page ( http://www.google.com/safebrowsing/diagnostic?site=your-site-domain.com ). If this page mention several blogspot blogs that your site have infected (example), the chances are your site is exploited by Koobface and you should search for a rogue directory on your server.

When you identify and remove the cause of the problem, don’t forget to request a malware review via Google Webmaster Tools to have your site removed from the blacklist.

To learn more about Google’s malware warnings and how to deal with them, you might want to read my practical guide.

Summary

This was the first time I worked with Koobface. It’s such a complex multi-tier heterogeneous malware attack so I don’t expect that I managed to cover everything correctly at the first try. Even the visible (web) part of the Koobface iceberg is very impressive:

  • Social Networks
  • Search Engines
  • Rogue blogs
  • Hacked legitimate sites
  • Web servers on infected PCs
  • Scareware and other “grey/black” affiliate sites.
  • and I don’t mention here exploit files hosted on image-sharing sites as .JPG files (per TrendMicro)

And the hidden part (malware on infected PCs and botnet coordination) that I don’t even try to research myself is monstrous (Check this visualization and explanation (PDF) by TrendMicro).

Have your say

So if you find any mistakes in this post or want to share some missing details, please leave your comment here.

I would also be interested in hearing from webmasters of the hacked exploited used by Koobface. I’d like to take a look at file they upload (I still don’t know if they use server-side scripts or just add some .htaccess logic for different types of requests).

Thanks for reading.

Related posts:

Reader's Comments (5)

  1. |

    Thanks for taking the time to write this up. I’m responsible for our handling of abuse on Blogger, and have routed this to the engineers responsible for detecting and shutting down exactly this kind of content.

    This coincides with a lot of analysis we’ve been doing over the past several weeks about a variety of abuse vectors, and I’ll be writing up our thoughts on Blogger Buzz (http://buzz.blogger.com/) in the near future.

    Thanks again.

    Rick Klau
    PM, Blogger

  2. |

    Denis,

    there are some facts here pointing towards “quicksilver”: yoyo.pl, another host on the subnet 61.235.117.0 and the infection with koobface itself. It seems to me these malware networks are constantly moving and evolving – playing “catch me if you can” with all of us.

    Regards, JVD.

  3. |

    [...] anche se con diverse varianti (vedi in particolare la sezione "To Webmasters"): http://blog.unmaskparasites.com/2010…b-of-koobface/ http://us.trendmicro.com/imperia/md/…ce_jul2009.pdf Il tutto ha un preciso riscontro anche sui [...]

  4. |

    [...] dati di accesso agli eventuali siti web gestiti con quel PC. Tra questi, molto recente, koobface: http://blog.unmaskparasites.com/2010…b-of-koobface/ Importante la sezione "To Webmasters" di questo post. __________________ [...]