Two weeks of training and 14 courses available in San Francisco - Mar. 16-27. Save $300 thru 1/22!

Malware FAQ

Malicious Social Networking: Koobface Worm

Author: Joel Yonts

Koobface on Facebook

The popularity of social networking sites such as MySpace and Facebook has sky rocketed in recent years. Today nearly everyone has a profile and established friends lists that are used to keep tabs on your two hundred closest friends. For most, the motive behind these sites lies somewhere between a genuine interest in keeping in touch with friends and family to keeping up with the latest gossip. This popularity hasn't gone unnoticed to the malcode authors. To these authors, social engineering is a key tactic used to get their wares installed on unsuspecting victims. Social networking sites makes socially engineering victims almost too easy.

The authors of the Koobface (an anagram of Facebook) worm implemented an ingenious system that plays on a victim's interest in getting the dirt on one of their friends. At a high level, an infected user has a new wall post added or messages (Figure 1) are sent to all their friends with words such as "Check out these embarrassing videos of me...". Included with the post is a link where a user can click to get all the juicy photos or video.

Facebook Messages with Links to Koobface

Figure 1: Facebook Messages with Links to Koobface

top^

The embedded link takes you to a dropper site hosting a fresh copy of Koobface ready to be installed on its next victim.

One variant of the infection process highlighted above involves getting a friend request or private message from an unknown individual wanting to become friends or chat. In most cases the profile picture is a scantily clad female looking to share compromising photos of herself and includes a link to her private website. If you haven't guessed already, the link takes you to a dropper site where you can get your personal copy of Koobface.

In most cases the malicious link mentioned above takes you to a YouTube like site that pops a message that you need to install Adobe Flash, a new video codec, or some other plug-in to view the video. Figure 2 is screenshot of a Koobface infection site using this technique.

Koobface Worm Adobe Flash

Figure 2: Koobface Worm Delivered Under the Guise of Adobe Flash

Installing the "update" downloads and infects a new system/user and the cycle continues.

top^

Malware Payload

The Koobface family of malware was first documented by researchers in mid 2008 and has trended as one of the top infectors throughout 2009 up to the current date in early 2010. Koobface's primary propagation method is through social networking sites such as Facebook, Twitter, MySpace, and Friendster. Even though the infection process remains largely the same, the payload and malicious behaviors documented as part of the Koobface infection has varied slightly over this period. Below is a list of some of these behaviors:

  • Stealing login credentials and sessions stored in website cookies
  • Stealing web browser saved passwords
Koobface worm
  • Trick users into solving CAPTCHAs in automated attacks against other systems (Figure 3)
  • Installation of malicious proxy settings used for Ad Hijacking and Click Fraud
  • SPAM and malware distribution
  • Installation of a rogue webserver for command and control (Figure 4)
  • Rogues security software delivery (Figure 5)
top^
Koobface CAPTCHA

Figure 3: CAPTCHAs Served via Koobface

Koobface Malicious Webserver Process

Figure 4: Malicious Webserver Process

Koobface Malicious Webserver Process

Figure 5: FakeAV Pop-up Displayed on Compromised Host

top^

Koobface Defense

A good first line of defense against this family of malware is security awareness. If users are trained to avoid clicking links from unsolicited or suspicious posts and approach installing plug-ins with caution, the social engineering infection vector is severely limited. Trained users combined with reputation based network filtering and locally installed Anti-Malware solutions rounds out a good defense against Koobface. For corporate entities, a ban on non-work related social networking sites may limit the corporate exposure to this family.

Appendix A: Infection Artifacts

The details listed in the previous sections are based in part on research data gathered during the analysis of a recent sample of Koobface:

loader.exe: 441d525538ec30002b0581373c3b7623

The infection process also yielded the follow system and network infection artifacts.

TABLE 2: DROPPER SITE INTERACTION
TCP_HIT/200 72192 GET http://216.xxx.xxx.xxx/.sys/?getexe=loader.exe
TCP_HIT/200 49152 GET http://70.xxx.xxx.xxx/.xm29oep/?getexe=ploader.exe
TCP_HIT/200 259584 GET http://64.xxx.xxx.xxx/.dzhm5b/?getexe=p.exe
TCP_HIT/200 36864 GET http://70.xxx.xxx.xxx/.xm29oep/?getexe=v2captcha21.exe
TCP_HIT/200 103424 GET http://70.xxx.xxx.xxx/.xm29oep/?getexe=cmd.exe
TCP_HIT/200 13824 GET http://70.xxx.xxx.xxx/.xm29oep/?getexe=ws.exe
top^
TABLE 3: FILESYSTEM ADDITIONS
c:/Program Files/webserver/webserver.exe
c:/WINDOWS/bill108.exe
c:/WINDOWS/bill108.exe
c:/WINDOWS/fdgg34353edfgdfdf
c:/WINDOWS/system32/btw_oko.dll
c:/WINDOWS/system32/captcha.dll
c:/WINDOWS/system32/drivers/USBSTOR.SYS
c:/WINDOWS/system32/drivers/etc/hosts
c:/WINDOWS/system32/drivers/klifoko.sys
c:/Documents and Settings/Administrator/Desktop/win_protection_update.exe
(deleted):1.bat
(deleted):3.reg
(deleted):SelfDel.bat
(deleted):win_protection_update.exe
(deleted):rdr_1271939089.exe
(deleted):rdr_1271939101.exe
(deleted):1924656.exe
(deleted):1924656.exe.exe
(deleted):captcha.bat
(deleted):nlokobmove.bat
(deleted):zpskon_1271948510.exe
(deleted):dxxdv34567.bat
top^
TABLE 4: SIGNIFICANT REGISTRY MODIFICATIONS
Keys Added
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FLTOKOMGR
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_FTDISOKO
HKLM\SYSTEM\ControlSet001\Enum\Root\LEGACY_WEBSERVER
HKLM\SYSTEM\ControlSet001\Services\captcha
HKLM\SYSTEM\ControlSet001\Services\FltOkoMgr
HKLM\SYSTEM\ControlSet001\Services\Ftdisoko
HKLM\SYSTEM\ControlSet001\Services\webserver
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FLTOKOMGR
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_FTDISOKO
HKLM\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_WEBSERVER
HKLM\SYSTEM\CurrentControlSet\Services\captcha
HKLM\SYSTEM\CurrentControlSet\Services\FltOkoMgr
HKLM\SYSTEM\CurrentControlSet\Services\Ftdisoko
HKLM\SYSTEM\CurrentControlSet\Services\webserver
Values Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysfbtray: "c:\windows\bill108.exe"
top^
TABLE 5: NEW SERVICES
SERVICE_NAME: FltOkoMgr
DISPLAY_NAME: Partition Protected Standard
(null)
TYPE: 20 WIN32_SHARE_PROCESS
STATE: 4 RUNNING
(NOT_STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: captcha
DISPLAY_NAME: captcha
(null)
TYPE :120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS
STATE : 1 STOPPED
(NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 1077 (0x435)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
SERVICE_NAME: webserver
DISPLAY_NAME: webserver
(null)
TYPE : 20 WIN32_SHARE_PROCESS
STATE : 4 RUNNING
(STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0
TABLE 6: MALICIOUS FIREWALL PORT OPENINGS
Port Protocol Mode Name
8085 TCP Enable VMware FilterPort
877 TCP Enable webserver
4000 TCP Enable webserver
53 TCP Enable webserver
top^

Additional Material

A wealth of additional material is available on Koobface. Below is an abbreviated list that can add an additional perspective of this popular malware family.

Win32/Koobface
McAfee, Inc.
Koobface Information on McAffe's Site

W32.Koobface
Symantec, Inc.
Information about Koobface on Symantec's Site

Koobface variant worms across social networking sites
The Register
Koobface Worm Article on The Register Site

Malware FAQ
Latest Whitepapers

Threat Hunting and Discovery: A SANS Review of Vectra Cognito
By Dave Shackleford

Lateral traffic movement in Virtual Private Clouds
By Andy Huang

Defense in Depth: Can Geolocation Help Prevent Tax Fraud?
By Jon Glas

Last 25 Papers »

Latest Tweets @SANSInstitute

New #SANSTraining locations in North America! #SANSPhilade [...]
January 20, 2020 - 5:30 PM

Where can we take #cybersecurity in the new year? Our expert [...]
January 20, 2020 - 5:15 PM

New Blog | Who are the real influencers behind #infosec buyi [...]
January 20, 2020 - 5:05 PM

Contact Us

Mon-Fri: 9am-8pm ET (phone/email)
Sat-Sun: 9am-5pm ET (email only)
301-654-SANS(7267)
info@sans.org

"It has really been an eye opener concerning the depth of security training and awareness that SANS has to offer."
- Michael Hall, Drivesavers

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU