This research is provoked by the following blogpost of Joshua Long where he lists domain names used by Koobface. Generally, I focus on website hacks and don’t research malware distributed via email spam and social networks (Koobface is an anagram of Facebook). However that list showed me how legitimate hacked sites were integrated into Koobface scheme and I decided to try to investigate how the whole thing worked.
Most people first meet the Koobface when they receive a message with a link to some video from someone they know. It’s either a message from a friend in Facebook or some other social network, or a DM in Twitter. To make the link less suspicious criminals use URL shorteners like bit.ly, tinyurl.com, etc. This is a normal practice on Twitter where messages are limited to 140 characters. For not-Twitter users such links will also be less suspicious than something like “hxxp://www.sfighters .yoyo .pl/ freevideo/?go”, especially when the link is received from a friend.
Another vector is poisoned search results that lead to rogue blogspot blogs that, in turn, redirect visitors to a hacked third party site that coordinates the malicious action.
That site can choose either choose the infection path or the direct monetization path.
In case of the infection path, the user is redirected to a specifically crafted web page on one of already infected computers. This page takes into account the site where the user clicked on the malicious link (it may look like YouTube or Facebook). Generally it’s a web page with a “video” that requires additional download (player/codec update). This download is a trojan that seems to be used to download the rest malicious files and turn the use computer into a zombie. Among other bad things, infected PCs help the Koobface propagation:
It shouldn’t be a surprise that after such a download the video won’t play. And when disappointed users close the page, they see another window saying that their computer is infected (this time it doesn’t lie) and they should download a security program (that is just another trojan) that will “fix” the problem. This happens because the fake video pages have an “onunload” even handler that opens a scareware site when people leave that page. This helps increase the infection rate and monetize the traffic via affiliate relationships with fake AV vendors.
Sometimes the sites that coordinate the attack flow decide to choose the monetization path right away and redirect users to a proxy site (when I checked it was 61 .235 .117 .83) that selects a proper affiliate link: adult dating sites, pirated video download sites, etc.
An interesting part of this attack scheme is rogue blogspot blogs. They all look the same and definitely auto-generated.
Here are their distinguishing features:
1. A single post that consists of a news headline (presumably from Google News), for example: “Two journalists released in Somalia – CNN International” or “Obamas’ affection for Hawaii means better times for state – USA Today“. This headline is both the blog title and the title of the only post. The post itself is empty.
2. The addresses of such blogs are composed of several words that resemble names (probably parts of stolen user credentials). E.g. demontlucavincenzo .blogspot.com, jacekjacekroys .blogspot.com, jamaldboeding .blogspot.com, britnymccarville .blogspot.com.
3. The blogs are the only blogspot blogs of their users (One Blogger user -> one blog -> one blogpost). They don’t create multiple blogs under the same account (otherwise they can all be easily detected and shut down).
4. They use different default languages for each blog. You can see blogs with user interface in English, Dutch, Chinese, Arabic, Russian, Greek, Hebrew, Turkish, etc. At the same time blog titles (news headlines) are always in English.
and is generally well detected by Unmask Parasites.
It is clear that the blogs are automatically generated. Probably the CAPTCHA-breaking function of Koobface trojans is used to automatically create multiple Blogger accounts.
The nature of the blogs’ content makes me think that their primary purpose is search results poisoning. Publishing headlines of breaking news when there’s not much relevant legitimate content exists, they expect their blogs will be ranked high enough (at least for a short time) for the news related searches. Given how many people use search engines to find details about hot news topics, this may be a working approach.
However only people from Blogger can says how successful for hackers this approach is. I tried to search for headlines that appear on Google News but couldn’t find the infected blogs (is this vector still active?). On the other hand I’ve easily found a couple a big farms of spammy blogspot blogs that used the same trick.
Anyway, I was able to identify several hundred Koobface rogue blogs (and the hacked sites they redirect to) using Google’s Safe Browsing Diagnostic pages. For example if you check the diagnostic page for any known infected blog (e.g. britnymccarville .blogspot .com ) and then click on the links for sites reported as hosting malware (the IP addresses belong to infected PC and domain names to hacked legitimate sites), you will see more infected blogspot blogs on subsequent pages.
Checking the blacklisted blogs that still exist, I found the earliest dates they have (the dates of blogposts) are in the second half of November 2009 and the most recent are in this February. Maybe it’s just a coincidence, but this period almost exactly matches the sharp increase in number of reported malicious URLs on Google’s network (blogspot.com blogs are a part of that network).
If it’s not a coincidence, then Koobface is responsible for about 80% of reported malicious URLs on Google’s network.
(Thinking aloud: November dates may have something to do with the fact that Safe Browsing data is limited to the last 90 days, so I just can’t see rogue blogs that had been blacklisted before November. On the other hand, Google’s malware scanners revisit infected sites once in a while and update their status, so I still expect to see some records for sites that had been first blacklisted before the last November. If they exist.)
Some of the blogs I checked have already been shut down. I wonder why Blogger doesn’t shut down them all if they can easily obtain a list of the rogue blogs from Google’s own Safe Browsing database. (I could manually retrieve more than 300 unique Koobface blogs using only Safe Browsing diagnostic pages that provide very limited and incomplete information). These blogs are not infected legitimate blogs – they are 100% malicious and created by non-existing users. And they can be easily distinguished from any other legitimate blogs (even by a pretty simple automated scanner). Blogger, you can safely delete all those blogs and users! Why wait?
Now let’s talk about the compromised legitimated sites that work as intermediaries in this attack.
Hackers create a new directory where they place their files. The malicious URL have the following structure: http://www.hacked-site.com/rogue_dir/?go
Here are some real examples (be careful):
www .uniquecreationbabies .co.za/supervids/?go
www .piratedb .net/index.htm/?go
ritmotours .com .tr/main/?go
www .sfighters .yoyo .pl/freevideo/?go
If you specify a URL without the ?go part you will see a page that contains a blurry thumbnail of a video page and a Flash file that redirects visitors to the ?go page (thanks Pob)
The ?go page consists only of one moderately obfuscated script:
The first thing you see is two lists at the very top of the script. The first is a list of expected referrers:
No comments required. These are the primary places of Koobface distribution.
The second list contain 20 IP addresses. This list is different on every hacked site. When I checked the IPs with DomainTools I discovered that they all belonged to different cable and broadband Internet service providers. In other words, they are IPs of regular home and office PCs.
This list is used to create 20 external scripts and load them on the fly. If a rogue web server on an infected computer is working at that moment it should respond with a URL of a fake video page that it hosts. Then, using a timer, the intermediary site checks when that URL is available and redirects people there.
Q: Why use infected PSc as malicious web servers?
A: Why not? They control thousands of infected zombie PCs that are powerful enough, have a decent Internet connection and many of them have static IPs.
Q: Why 20 IPs?
A: Remember that home PCs are not always turned on and connected to the Internet. Moreover, the malware can be removed from infected computers any time. So hackers try to connect to 20 different infected PCs at the same time to increase chances that at least one of them is ready to serve the fake video page.
Q: What happens if web servers on more than one IP will be available at the same time? Will people see more than one fake video page?
A: No. The intermediary sites wait for any redirect URL to be available. When they detect that some of the loaded (from infected PCs) scripts provided such a URL, visitors get redirected. All subsequent redirect URLs are simply discarded.
This post contains some important information for webmaster and I want to sum up it here.
If you don’t want your sites to be hacked, you should keep your PCs clean from malware.
Per TrendMicro, among other bad things, Koobface installs a variant of the LDPinch trojan that steals email, IM and FTP credentials. Here is the list of the targeted FTP clients TrendMicro provides (PDF) in their Koobface review (compare it with the list I published here a few months ago):
So get a decent antivirus program and a Firewall that will block unauthorized network activity (e.g. trojans sending your FTP credentials to bad guys).
Try not to save passwords in FTP clients (especially in those listed above) if they don’t provide master key encryption.
If your hosting plan includes SFTP (or FTPS), switch to the secure protocol immediately and forget about FTP that sends everything (including your passwords) in plain text. Most popular FTP clients support secure protocols so this switch will be painless.
Although Koobface doesn’t use browser/plugin vulnerabilities, I still insist that you keep your whole system (OS, web browser, Java, Flash, Adobe Reader, etc.) up-to-date. There are many other web threats that exploit vulnerabilities of (even slightly) outdated software.
If you were unlucky your site could have been hacked. Here is what you can do to detect this.
If your site is blacklisted by Google and you don’t know why (you can’t find anything wrong in your web pages), check the Safe Browsing diagnostic page ( http://www.google.com/safebrowsing/diagnostic?site=your-site-domain.com ). If this page mention several blogspot blogs that your site have infected (example), the chances are your site is exploited by Koobface and you should search for a rogue directory on your server.
To learn more about Google’s malware warnings and how to deal with them, you might want to read my practical guide.
This was the first time I worked with Koobface. It’s such a complex multi-tier heterogeneous malware attack so I don’t expect that I managed to cover everything correctly at the first try. Even the visible (web) part of the Koobface iceberg is very impressive:
So if you find any mistakes in this post or want to share some missing details, please leave your comment here.
I would also be interested in hearing from webmasters of the hacked exploited used by Koobface. I’d like to take a look at file they upload (I still don’t know if they use server-side scripts or just add some .htaccess logic for different types of requests).
Thanks for reading.