10 things you didn't know about the (Facebook) Koobface gang

Dancho Danchev

Click here to see a gallery of Koobface pranks

With Koobface continuing to spreading across Facebook by utilizing hundreds of compromised sites as infection vectors, next to using them as
distributed hosting infrastructure in an attempt to undermine potential
take down activities, a common misconception regarding the gang’s
activities shifts the attention from their true participating within
the underground ecosystem.

The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 10 things you
didn’t know about the Koobface gang list.

Some are funny, others are disturbing, the majority indicate a cybercrime ecosystem that actively keeps itself up-to-date with the very latest research profiling it, by reading the blogs of security
vendors and researchers.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet

In September, 2009, researchers from ClickForensics established an interesting connection between the Bahama botnet — the name comes from the 200,000 parked domain sites located in the Bahamas where they were redirecting the traffic to — between what I
refer to as my “Ukrainian fan club” due to the offensive messages they were including in the redirectors every time I exposed and shut down one of their campaigns.

Malware samples pushed by the Koobface botnet, were modifying HOSTS..., in an attempt to redirect the user into a bogus Google featuring pharmaceutical ads, as well as related cybercrime-friendly search engines in order to monetize the hijacke.... The “Ukrainian fan club” itself, appears to be the blackhat SEO department for the Koobface gang, whose connections to the following
campaigns, as well as the multiple connections linking it to the then
centralized Koobface infrastructure, resulted in the take down of the Koobface-friendly Riccom LTD - AS29550 in December, 2009.

How did the gang respond? With a bold sense of humor.

02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video

Just when you start thinking that quality assurance is daily routine for these botnet masters, imagine my surprise when an October, 2009 spoof of YouTube page, was actually a screenshot taken by using a trial version of the HyperSnap.

The result? A “Created with HyperSnap 6. To avoid this stamp, buy a license” at the bottom of the screenshot, shown to everyone visiting a Koobface infected hosting serving it. The entire YouTube spoof was basically a
screenshot taken from a legitimate video page, with the spoofed Adobe
error message, being the only part of it that was clickable.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September

Data and real-time OSINT (open source intelligence) analysis speaks for itself. With ClickForensics establishing a connection between my “Ukrainian fan club” the Bahama botnet, and the malvertising attacks, the assessment of the incident further confirmed this connection based on historical OSINT gathered from their previous blackhat SEO campaigns.

The Koobface/Ukrainian fan club connection? The same redirector used in the NYTimes malvertising attack, was not only simultaneously found on Koobface infected hosts, but was also profiled a month earlier in the “Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign“, a blackhat SEO campaign maintained by them.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts

With Koobface representing a case-study on successful propagation across social networking sites, relying on social engineering only, in
November, for the first time ever, they conducted an experiment lasting several hours, where client-side ex... on Koobface infected hosts.

Sampled exploits included VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF, moreover, despite the Koobface gang’s claim — more on that claim and their bold sense of humor in an upcoming poing —
on the very same IP hosting the exploit serving domain, there was an
active Zeus crimeware campaign.

By embedding these particular domains, the gang also exposed an affiliation with an author of a popular web malware exploitation kit. Whether the experiment was meant to test its exploitation capabilities
before the gang would start serving exploits permanently remains
unknown. A few hours after their experiment was exposed, they suspended
it.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009

Remember the massive blackhat SEO campaign from November, 2009, where 1+ million web sites were found compromised and serving scareware?

Real-time monitoring of the campaign, and cross checking the data with real-time monitoring of Koobface activity revealed an interesting observation. The redirectors embedded on the compromised web sites, are also the sam..., both pushing scareware.

Favorite

0 members favorited this