10 things you didn't know about the (Facebook) Koobface gang

Dancho Danchev







Click here to see a gallery of Koobface pranks

With Koobface continuing to spreading across Facebook by utilizing hundreds of compromised sites as infection vectors, next to using them as
distributed hosting infrastructure in an attempt to undermine potential
take down activities, a common misconception regarding the gang’s
activities shifts the attention from their true participating within
the underground ecosystem.

The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 10 things you
didn’t know about the Koobface gang list.

Some are funny, others are disturbing, the majority indicate a cybercrime ecosystem that actively keeps itself up-to-date with the very latest research profiling it, by reading the blogs of security
vendors and researchers.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet

In September, 2009, researchers from ClickForensics established an interesting connection between the Bahama botnet — the name comes from the 200,000 parked domain sites located in the Bahamas where they were redirecting the traffic to — between what I
refer to as my “Ukrainian fan club” due to the offensive messages they were including in the redirectors every time I exposed and shut down one of their campaigns.

Malware samples pushed by the Koobface botnet, were modifying HOSTS..., in an attempt to redirect the user into a bogus Google featuring pharmaceutical ads, as well as related cybercrime-friendly search engines in order to monetize the hijacke.... The “Ukrainian fan club” itself, appears to be the blackhat SEO department for the Koobface gang, whose connections to the following
campaigns, as well as the multiple connections linking it to the then
centralized Koobface infrastructure, resulted in the take down of the Koobface-friendly Riccom LTD - AS29550 in December, 2009.

How did the gang respond? With a bold sense of humor.

02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video

Just when you start thinking that quality assurance is daily routine for these botnet masters, imagine my surprise when an October, 2009 spoof of YouTube page, was actually a screenshot taken by using a trial version of the HyperSnap.

The result? A “Created with HyperSnap 6. To avoid this stamp, buy a license” at the bottom of the screenshot, shown to everyone visiting a Koobface infected hosting serving it. The entire YouTube spoof was basically a
screenshot taken from a legitimate video page, with the spoofed Adobe
error message, being the only part of it that was clickable.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September

Data and real-time OSINT (open source intelligence) analysis speaks for itself. With ClickForensics establishing a connection between my “Ukrainian fan club” the Bahama botnet, and the malvertising attacks, the assessment of the incident further confirmed this connection based on historical OSINT gathered from their previous blackhat SEO campaigns.

The Koobface/Ukrainian fan club connection? The same redirector used in the NYTimes malvertising attack, was not only simultaneously found on Koobface infected hosts, but was also profiled a month earlier in the “Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign“, a blackhat SEO campaign maintained by them.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts

With Koobface representing a case-study on successful propagation across social networking sites, relying on social engineering only, in
November, for the first time ever, they conducted an experiment lasting several hours, where client-side ex... on Koobface infected hosts.

Sampled exploits included VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF, moreover, despite the Koobface gang’s claim — more on that claim and their bold sense of humor in an upcoming poing —
on the very same IP hosting the exploit serving domain, there was an
active Zeus crimeware campaign.

By embedding these particular domains, the gang also exposed an affiliation with an author of a popular web malware exploitation kit. Whether the experiment was meant to test its exploitation capabilities
before the gang would start serving exploits permanently remains
unknown. A few hours after their experiment was exposed, they suspended
it.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009

Remember the massive blackhat SEO campaign from November, 2009, where 1+ million web sites were found compromised and serving scareware?

Real-time monitoring of the campaign, and cross checking the data with real-time monitoring of Koobface activity revealed an interesting observation. The redirectors embedded on the compromised web sites, are also the sam..., both pushing scareware.


MORE





Views: 61

Comment

You need to be a member of 12160 Social Network to add comments!

Join 12160 Social Network

"Destroying the New World Order"

TOP CONTENT THIS WEEK

THANK YOU FOR SUPPORTING THE SITE!

mobile page

12160.info/m

12160 Administrators

 

Latest Activity

Doc Vega posted a blog post

One of Many Witnesses to the JFK Assassination Not Listed in the Warren Report

In an interview by Attorney Mark Lane James Leon Simmons, a railroad worker, who like many…See More
14 minutes ago
Burbia commented on KLC's group MUSICWARS
18 hours ago
Doc Vega posted a blog post

The Unnerving Frequency of Disappearances on the Appalachian Trail Pt. 1

There’s another one of the cluster zones of missing persons reports that fails to render the…See More
yesterday
cheeki kea commented on cheeki kea's photo
Thumbnail

Waste runs deep

"Make USAID - go away."
yesterday
cheeki kea posted a photo
yesterday
cheeki kea commented on cheeki kea's photo
Thumbnail

$ Paid Annual Leave $

"Now is the Time for American Workers to Unite! Take back the squandered taxes and demand time off…"
Monday
cheeki kea posted a photo
Monday
Burbia commented on Burbia's blog post Mystery illness strikes Russia with fever, blood symptoms, and no cure in sight.
Monday
Burbia posted a blog post

Mystery illness strikes Russia with fever, blood symptoms, and no cure in sight.

I guess releasing this bio-weapon upon Israeli neighbors would be hitting too close to home. I…See More
Monday
tjdavis posted videos
Monday
tjdavis posted a video

The Electric State | Final Trailer | Netflix

Together, robots & humans can take the whole system down. THE ELECTRIC STATE starring Millie Bobby Brown, Chris Pratt and directed by the Russo Brothers, onl...
Sunday
Less Prone favorited Sandy's video
Saturday
Doc Vega's 7 blog posts were featured
Saturday
tjdavis's blog post was featured
Saturday
Sandy posted a video

"Mommy Tells Me I'm a Girl"-Jeff Younger

Soft White Underbelly interview and portrait of Jeff Younger, a father who is fighting to protect his son from transitioning into a girl. Get 40% off access ...
Saturday
tjdavis posted a video

MindWar: Full Spectrum Cognitive Dominance [Michael Aquino Analysis]

This is my analysis and my thoughts on Michael Aquino's "MindWar". This document is a must-read if you are looking to understand the psyop tactics and cognit...
Saturday
Doc Vega posted a blog post

A Horrid Murder at Land Between the Lakes (Sasquatch?)

 Most of us hear that Sasquatch-Bigfoot are intelligent yet reclusive creatures that are closely…See More
Mar 28
Doc Vega posted blog posts
Mar 27
cheeki kea commented on cheeki kea's video
Thumbnail

Metropolis (1927) Full Movie | 4K Color Remastered: 2023 Colorized with Gottfried Huppertz Score

"Hey thanks for the thumbs up guys. I was blown away (like a leaf in a tornado) when I watched this…"
Mar 27
tjdavis favorited cheeki kea's video
Mar 27

© 2025   Created by truth.   Powered by

Badges  |  Report an Issue  |  Terms of Service

content and site copyright 12160.info 2007-2019 - all rights reserved. unless otherwise noted