10 things you didn't know about the (Facebook) Koobface gang

Dancho Danchev







Click here to see a gallery of Koobface pranks

With Koobface continuing to spreading across Facebook by utilizing hundreds of compromised sites as infection vectors, next to using them as
distributed hosting infrastructure in an attempt to undermine potential
take down activities, a common misconception regarding the gang’s
activities shifts the attention from their true participating within
the underground ecosystem.

The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 10 things you
didn’t know about the Koobface gang list.

Some are funny, others are disturbing, the majority indicate a cybercrime ecosystem that actively keeps itself up-to-date with the very latest research profiling it, by reading the blogs of security
vendors and researchers.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet

In September, 2009, researchers from ClickForensics established an interesting connection between the Bahama botnet — the name comes from the 200,000 parked domain sites located in the Bahamas where they were redirecting the traffic to — between what I
refer to as my “Ukrainian fan club” due to the offensive messages they were including in the redirectors every time I exposed and shut down one of their campaigns.

Malware samples pushed by the Koobface botnet, were modifying HOSTS..., in an attempt to redirect the user into a bogus Google featuring pharmaceutical ads, as well as related cybercrime-friendly search engines in order to monetize the hijacke.... The “Ukrainian fan club” itself, appears to be the blackhat SEO department for the Koobface gang, whose connections to the following
campaigns, as well as the multiple connections linking it to the then
centralized Koobface infrastructure, resulted in the take down of the Koobface-friendly Riccom LTD - AS29550 in December, 2009.

How did the gang respond? With a bold sense of humor.

02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video

Just when you start thinking that quality assurance is daily routine for these botnet masters, imagine my surprise when an October, 2009 spoof of YouTube page, was actually a screenshot taken by using a trial version of the HyperSnap.

The result? A “Created with HyperSnap 6. To avoid this stamp, buy a license” at the bottom of the screenshot, shown to everyone visiting a Koobface infected hosting serving it. The entire YouTube spoof was basically a
screenshot taken from a legitimate video page, with the spoofed Adobe
error message, being the only part of it that was clickable.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September

Data and real-time OSINT (open source intelligence) analysis speaks for itself. With ClickForensics establishing a connection between my “Ukrainian fan club” the Bahama botnet, and the malvertising attacks, the assessment of the incident further confirmed this connection based on historical OSINT gathered from their previous blackhat SEO campaigns.

The Koobface/Ukrainian fan club connection? The same redirector used in the NYTimes malvertising attack, was not only simultaneously found on Koobface infected hosts, but was also profiled a month earlier in the “Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign“, a blackhat SEO campaign maintained by them.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts

With Koobface representing a case-study on successful propagation across social networking sites, relying on social engineering only, in
November, for the first time ever, they conducted an experiment lasting several hours, where client-side ex... on Koobface infected hosts.

Sampled exploits included VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF, moreover, despite the Koobface gang’s claim — more on that claim and their bold sense of humor in an upcoming poing —
on the very same IP hosting the exploit serving domain, there was an
active Zeus crimeware campaign.

By embedding these particular domains, the gang also exposed an affiliation with an author of a popular web malware exploitation kit. Whether the experiment was meant to test its exploitation capabilities
before the gang would start serving exploits permanently remains
unknown. A few hours after their experiment was exposed, they suspended
it.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009

Remember the massive blackhat SEO campaign from November, 2009, where 1+ million web sites were found compromised and serving scareware?

Real-time monitoring of the campaign, and cross checking the data with real-time monitoring of Koobface activity revealed an interesting observation. The redirectors embedded on the compromised web sites, are also the sam..., both pushing scareware.


MORE





Views: 63

Comment

You need to be a member of 12160 Social Network to add comments!

Join 12160 Social Network

"Destroying the New World Order"

TOP CONTENT THIS WEEK

THANK YOU FOR SUPPORTING THE SITE!

mobile page

12160.info/m

12160 Administrators

 

Latest Activity

Doc Vega posted a blog post

Modern Progress

 From some things you just can’t come backNot everyone has your backIt might just be a nuclear…See More
14 hours ago
Bob of the Family Renner favorited tjdavis's photo
16 hours ago
Less Prone favorited Sandy's discussion Sick sci-fi sex fantasy written by Epstein's first benefactor people say inspired his twisted island... before author's SON ended up arresting him
19 hours ago
Doc Vega commented on tjdavis's photo
Thumbnail

Now Playing

"They sure as hell are! "
yesterday
Doc Vega commented on Doc Vega's blog post Plausible Explanation Behind Recent Cryptid Sightings in the Wild!
"cheeki kea, yes they have already produced a Wooly Mammoth by crossing DNA from frozen remains in…"
yesterday
Less Prone favorited tjdavis's photo
yesterday
Less Prone favorited Bob of the Family Renner's photo
Wednesday
Less Prone favorited tjdavis's photo
Wednesday
Less Prone left a comment for Misteri
"Welcome back!"
Wednesday
tjdavis posted blog posts
Wednesday
tjdavis posted photos
Wednesday
tjdavis posted a video

The Inversion: The 'Sentient World Simulation' (SWS)

Kingsley L. Dennis discussing subjects from his new book - 'The Inversion: How We Have Been Tricked into Perceiving a False Reality' (published September 26,...
Wednesday
Doc Vega posted a blog post

Major Technical Developments in 1960 and a Major CIA Disclosure

 In 1960, there were some very significant changes in science, flight research, and oceanography…See More
Monday
Doc Vega's 5 blog posts were featured
Monday
Less Prone favorited Doc Vega's blog post The Saga of Joe Adams May Have Solved What's Behind the Numerous Disappearances Going on in our National Forests
Monday
Zfort Group posted a blog post
Monday
Misteri joined Central Scrutinizer's group
Monday
Misteri joined Machinegunmomma's group
Thumbnail

The Gathering

A place to meet and share contact information with people in your area as an emergency back up…See More
Monday
Misteri is now friends with bob hob and Vladimir Putin
Monday
Misteri updated their profile
Monday

© 2025   Created by truth.   Powered by

Badges  |  Report an Issue  |  Terms of Service

content and site copyright 12160.info 2007-2019 - all rights reserved. unless otherwise noted