Koobface is the anagram of facebook.
Koobface is a computer worm which targets facebook user and the
infection leads to gain the access code of users FTP, facebook , but not
any banking details! Using the infected computer as botnet, i.e. act as
peer to peer fashion to get the instruction from other compromised or
infected computer. In addition, it do browser hijack to display ads on
search queries. It was first detected in 2008. Symantec mentioned that
recent variants found on august of 2012.
Infection:
worm- koobface spreads through facebook messages to people. From the facebook friend’s compromised computer sending that message. Once the message reaches the user, he certainly opens the message of the facebook friend. Once the opens the message, it redirects to other compromised computer that leads to download of executable file. After that executable gets executed, now koobface starts redirect your search queries to ads and infected sites which lead to make your computer as part of the koobface connection. It become like a host computer.
Variants and detection naming by antivirus vendor:
Net-Worm.Win32.Koobface.b [Kaspersky], W32/Koobface.worm [McAfee], Boface.A [Panda Software], WORM_KOOBFACE.V [Trend], W32/Koobface-AS [Sophos], W32/Koobface-AL [Sophos], W32/Koobface-AD [Sophos], Koobface.GQ [Panda Software], Koobface.FU [Panda Software], W32/Koobface-N [Sophos], WORM_KOOBFACE.JG [Trend], WORM_KOOBFACE.EX [Trend], WORM_KOOBFACE.EY [Trend], WORM_KOOBFACE.BX [Trend], W32/Koobface.CZ [F-Secure], WORM_KOOBFACE.AZ [Trend], Net-Worm:W32/Koobface.ES [F-Secure], Win32/Koobface.AC [Computer Associates], W32/Koobface.CY [F-Secure], W32/Koobface.BM [F-Secure], WORM_KOOBFACE.F [Trend], WORM_KOOBFACE.E [Trend], Kbface [Panda Software], WORM_KOOBFACE.D [Trend], Troj/Mdrop-CMW [Sophos]
Let we see a sample of worm-koobface:
https://www.virustotal.com/en/file/31e594913eb8a3bd0f94dd73d8aaea33190724d4b06fefd5352c754616882a53/analysis/
I executed this file in secured environment:
File found self-deleted or rootkit and in process explorer showing a file “ld08.exe – from c:\windows\”. Yeah, my target file is copy itself in windows folder and running. Ld08.exe is our target file. I saved the memory strings of our target file.
It creates the run entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "sysldtray"
Type: REG_SZ
Data: c:\windows\ld08.exe
If you search that run entry in google: you found tons of results stating that it belongs to koobface:
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Worm%3aWin32%2fKoobface.I
Memory strings:
ADVAPI32.dll
%s%so%som
etl
e%sil
t%s%scom
agg
m%s%som/
yspac
%s%sm/
bo.co 23441235gfht22ssg%d
c:\dfd555ff.thd
%sa%sse260320%som
stshan
s%ss%s0090%som
uper
earch2
wn%s40%sm
ames1
%sm0%s09.biz
%sn%s9.info
s6mar0
%s%s009.biz
REM 4sdff4
del "%s"
%s "%s" goto TG3
del "%s"
if exist
c:\353454543.bat
POST
coded
urlen
w-form-
on/x-ww
ati
appl
ent
%s%ld
tent-Length:
Con
tion: close
Connec
Us%sent: Mozilla/4.0 (compatible; MSIE 7.0; %s; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
er-Ag
Host:
HTTP
http://%s%s
sdfs23r32r
s%set
ock
%s%sd
WS%s2.DLL
Unknown OS
Windows NT %d.%d.%d %s
234234g34dsdfg
%sc%sok.com/
%s%sw.g%som
oogle.c
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 00 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 00 /f
google
www.google.com
GET
ProxyServer
Software\Microsoft\Windows\CurrentVersion\Internet Settings
AC%sK
%s%seck.php
chch
%st%srlA
ernetCrackU
%s%st
nine
c:\34dfg45434.bat
These memory strings give you the idea what koobface is doing. The batch file found the root drive contains :
REM ********
*****
del "c:\windows\temp\********.exe"
if exist "c:\windows\temp\******.exe" goto *****
del "c:\ 34dfg45434.bat"
This batch doesn’t much just deleting the target file and deleting itself. The strings shows how it redirects the search.
Koobface warning:
Using the name of the koobface, hoax warning messages are designed for the users to believe and spread the messages as post. These messages are to fool the facebook users and make them bit worried about the security in online.
Still, people thinks that hackers in our friendlist might indulge in such activities, but it is not true. Spreading of these hoax messages create panic in the people mind and they might deactivate their account. In recent studies says people of UK, deactivating their FB accounts due to this hoax message that their account might be compromised. In this digital age, people need to learn about the security risk in cyber world is a must one.
The following image taken from Sophos blog:
This image shows how the koobface-actors works .
Format of Hoax message on koobface:
“ Message spreading via Facebook warns about a "Trojan worm" called Knob Face and advisers recipients to avoid adding a user called "Smartgirl 15". It also warns users to watch out for links labelled "Barack Obama Clinton scandal". “
In nutshell, users get confused of these kinds of message.
Conclusion:
Nowadays, most of the social networking sites improved their security by knowing the malicious traits and overcome them. But, still people need to be skeptic and more sense when accessing the social network sites.
Practical Joke:
Few weeks back, one of a group in facebook shared a fancy image and claimed that type “like**” and type your facebook password in the comment. It will show your password as ******. This is really a magic. I opened the comment section and checked what it is. I seen plenty of users typed “like**” and their password. I can’t control my laugh that plenty of idiots living in this planet
Infection:
worm- koobface spreads through facebook messages to people. From the facebook friend’s compromised computer sending that message. Once the message reaches the user, he certainly opens the message of the facebook friend. Once the opens the message, it redirects to other compromised computer that leads to download of executable file. After that executable gets executed, now koobface starts redirect your search queries to ads and infected sites which lead to make your computer as part of the koobface connection. It become like a host computer.
Variants and detection naming by antivirus vendor:
Net-Worm.Win32.Koobface.b [Kaspersky], W32/Koobface.worm [McAfee], Boface.A [Panda Software], WORM_KOOBFACE.V [Trend], W32/Koobface-AS [Sophos], W32/Koobface-AL [Sophos], W32/Koobface-AD [Sophos], Koobface.GQ [Panda Software], Koobface.FU [Panda Software], W32/Koobface-N [Sophos], WORM_KOOBFACE.JG [Trend], WORM_KOOBFACE.EX [Trend], WORM_KOOBFACE.EY [Trend], WORM_KOOBFACE.BX [Trend], W32/Koobface.CZ [F-Secure], WORM_KOOBFACE.AZ [Trend], Net-Worm:W32/Koobface.ES [F-Secure], Win32/Koobface.AC [Computer Associates], W32/Koobface.CY [F-Secure], W32/Koobface.BM [F-Secure], WORM_KOOBFACE.F [Trend], WORM_KOOBFACE.E [Trend], Kbface [Panda Software], WORM_KOOBFACE.D [Trend], Troj/Mdrop-CMW [Sophos]
https://www.virustotal.com/en/file/31e594913eb8a3bd0f94dd73d8aaea33190724d4b06fefd5352c754616882a53/analysis/
I executed this file in secured environment:
File found self-deleted or rootkit and in process explorer showing a file “ld08.exe – from c:\windows\”. Yeah, my target file is copy itself in windows folder and running. Ld08.exe is our target file. I saved the memory strings of our target file.
It creates the run entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "sysldtray"
Type: REG_SZ
Data: c:\windows\ld08.exe
If you search that run entry in google: you found tons of results stating that it belongs to koobface:
http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?name=Worm%3aWin32%2fKoobface.I
Memory strings:
ADVAPI32.dll
%s%so%som
etl
e%sil
t%s%scom
agg
m%s%som/
yspac
%s%sm/
bo.co 23441235gfht22ssg%d
c:\dfd555ff.thd
%sa%sse260320%som
stshan
s%ss%s0090%som
uper
earch2
wn%s40%sm
ames1
%sm0%s09.biz
%sn%s9.info
s6mar0
%s%s009.biz
REM 4sdff4
del "%s"
%s "%s" goto TG3
del "%s"
if exist
c:\353454543.bat
POST
coded
urlen
w-form-
on/x-ww
ati
appl
ent
%s%ld
tent-Length:
Con
tion: close
Connec
Us%sent: Mozilla/4.0 (compatible; MSIE 7.0; %s; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
er-Ag
Host:
HTTP
http://%s%s
sdfs23r32r
s%set
ock
%s%sd
WS%s2.DLL
Unknown OS
Windows NT %d.%d.%d %s
234234g34dsdfg
%sc%sok.com/
%s%sw.g%som
oogle.c
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 00 /f
reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 00 /f
www.google.com
GET
ProxyServer
Software\Microsoft\Windows\CurrentVersion\Internet Settings
AC%sK
%s%seck.php
chch
%st%srlA
ernetCrackU
%s%st
nine
c:\34dfg45434.bat
These memory strings give you the idea what koobface is doing. The batch file found the root drive contains :
REM ********
*****
del "c:\windows\temp\********.exe"
if exist "c:\windows\temp\******.exe" goto *****
del "c:\ 34dfg45434.bat"
This batch doesn’t much just deleting the target file and deleting itself. The strings shows how it redirects the search.
Koobface warning:
Using the name of the koobface, hoax warning messages are designed for the users to believe and spread the messages as post. These messages are to fool the facebook users and make them bit worried about the security in online.
Still, people thinks that hackers in our friendlist might indulge in such activities, but it is not true. Spreading of these hoax messages create panic in the people mind and they might deactivate their account. In recent studies says people of UK, deactivating their FB accounts due to this hoax message that their account might be compromised. In this digital age, people need to learn about the security risk in cyber world is a must one.
The following image taken from Sophos blog:
This image shows how the koobface-actors works .
Format of Hoax message on koobface:
“ Message spreading via Facebook warns about a "Trojan worm" called Knob Face and advisers recipients to avoid adding a user called "Smartgirl 15". It also warns users to watch out for links labelled "Barack Obama Clinton scandal". “
In nutshell, users get confused of these kinds of message.
Conclusion:
Nowadays, most of the social networking sites improved their security by knowing the malicious traits and overcome them. But, still people need to be skeptic and more sense when accessing the social network sites.
Practical Joke:
Few weeks back, one of a group in facebook shared a fancy image and claimed that type “like**” and type your facebook password in the comment. It will show your password as ******. This is really a magic. I opened the comment section and checked what it is. I seen plenty of users typed “like**” and their password. I can’t control my laugh that plenty of idiots living in this planet
No comments:
Post a Comment