2010.11.22 資安新聞簡報報告者：劉旭哲、曾家雄

Spam down, but malware up

報告者：劉旭哲

Nov 17 McAfee Threats Report: Third Quarter 2010 Spam is declined, but malware is increasing.

Spam is still high It continued its overall decline from January,

both globally and nationally. But identity theft, phishing attacks, and

malicious links remain as serious as ever. eg: US

Malware continues to be the biggest threat. This year they have identified more than 14

million unique pieces of malware. Over one million more malware than at the

same time last year. Increase has slowed, but the growth

continues.

A mix of many established standards. Mainly in the form of password-stealing

Trojans, AutoRun malware, and fake AV software.

For example ： Zeus, Koobface

Cybercriminals are becoming more smart Attacks are becoming increasingly more

severe Focus on mobile devices and social-

networking sites.

Conclusion

http://news.cnet.com/8301-1009_3-20023067-83.html?tag=mncol;title

http://www.mcafee.com/us/local_content/reports/q32010_threats_report_en.pdf

reference

兆

Delivery Status Notification

Koobface: Inside a Crimeware Network

November 12, 2010 By NART VILLENEUVE

From April to November 2010 the Information Warfare Monitor investigated the operations and monetization strategies of the Koobface botnet

A New Botnet

Koobface maintains a system that uses social networking platforms to send malicious links such as: Bebo, Facebook, Friendster, Fubar, Hi5, MySpace, Netlog, Tagged, Twitter......etc.

Koobface also leverages connections to other malware groups associated with Bredolab, Gumblar, Meredrop, and Piptea

Koobface

The Koobface operators also employ counter-measures against security efforts to counter their operations The “banlist” of Internet protocol

Koobface operators carefully monitor whether any of their URLs have been flagged as malicious one by Facebook, or Google

Koobface

Koobface spreads by using credentials on compromised computers to login to the victim’s account

It sends messages that contain links to malware to friends that are linked to the account

Propagation

Propagation

The malicious link is often concealed using the URL shortening service

It redirects victim to a malicious Web page that encourages the user to run the accompanying executable

These malicious pages purport to be YouTube pages that require a new codec or an Adobe Flash upgrade in order to view the video

Propagation

Propagation

Koobface maintains an infrastructure that integrates command and control capabilities Zombie proxies obscure the location of C&C

Infrastructure

Koobface’s main command and control server is hosted on 85.13.206.115 (Coreix, GB)

It maintains a database that contains information on the infrastructure of the Koobface botnet The compromised hosts that have been

turned into relays And used by the operators to proxy requests

Command and Control

Koobface maintains a number of fraudulent accounts with third party services

Koobface also appears to use compromised computers to host landing pages

Command and Control

The Koobface malware has a modular structure that allows the botnet operators to install additional components on compromised computers based on specific criteria

The compromised computer connects to one of Koobface’s relay Web servers, which act as proxies of C&C

Command and Control

The malware on the compromised host requests URLs that contain parameters fbgen ldgen ppgen CAPTCHA

Command and Control

This file determines the contents of the message and the Koobface URL to send to the Facebook friends associated with Facebook accounts found on the compromised computer

fbgen

This file determines what further binaries the compromised host will download from the command and control server

IP address in a range

ldgen

These URLs point to rogue security software affiliates on Google searches for keywords such as Antivirus best+spyware+remover adware+spyware+removal

It triggers the search hijacker when the user clicks on any of the links returned by Google

ppgen

Koobface uses random samplings of real Facebook profile information stolen from compromised accounts to create fictitious accounts

The popup window suggests that the computer will shutdown if the CAPTCHA is not solved

CAPTCHA

CAPTCHA

The operators of the Koobface botnet have a system in place to monitor the operations of the botnet and to ensure that the system continues to maintain the infrastructure that is required to operate it

Monitoring & Countermeasures

Monitoring & Countermeasures

Koobface carefully monitors its links through the Google Safe Browsing API and checks if any of their URLs have been flagged as malicious by bit.ly or Facebook

Monitoring & Countermeasures

Monitoring & Countermeasures

Koobface keeps count of successful installations and traffic generated by the botnet

Monitoring Installations

Monitoring Installations

When an Internet user visits a Koobface landing page and installs the malware, the malware connects through a relay server to C&C and sends the Compromised user’s IP address Geographic location Unique identifier Koobface user identifier Malware identifier

This allows Koobface to keep track of malware installations

Monitoring Installations

http://krebsonsecurity.com/2010/11/pursuing-koobface-and-partnerka/

http://www.infowar-monitor.net/reports/iwm-koobface.pdf

Reference