10 things you didn't know about the (Facebook) Koobface gang

Dancho Danchev







Click here to see a gallery of Koobface pranks

With Koobface continuing to spreading across Facebook by utilizing hundreds of compromised sites as infection vectors, next to using them as
distributed hosting infrastructure in an attempt to undermine potential
take down activities, a common misconception regarding the gang’s
activities shifts the attention from their true participating within
the underground ecosystem.

The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 10 things you
didn’t know about the Koobface gang list.

Some are funny, others are disturbing, the majority indicate a cybercrime ecosystem that actively keeps itself up-to-date with the very latest research profiling it, by reading the blogs of security
vendors and researchers.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet

In September, 2009, researchers from ClickForensics established an interesting connection between the Bahama botnet — the name comes from the 200,000 parked domain sites located in the Bahamas where they were redirecting the traffic to — between what I
refer to as my “Ukrainian fan club” due to the offensive messages they were including in the redirectors every time I exposed and shut down one of their campaigns.

Malware samples pushed by the Koobface botnet, were modifying HOSTS..., in an attempt to redirect the user into a bogus Google featuring pharmaceutical ads, as well as related cybercrime-friendly search engines in order to monetize the hijacke.... The “Ukrainian fan club” itself, appears to be the blackhat SEO department for the Koobface gang, whose connections to the following
campaigns, as well as the multiple connections linking it to the then
centralized Koobface infrastructure, resulted in the take down of the Koobface-friendly Riccom LTD - AS29550 in December, 2009.

How did the gang respond? With a bold sense of humor.

02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video

Just when you start thinking that quality assurance is daily routine for these botnet masters, imagine my surprise when an October, 2009 spoof of YouTube page, was actually a screenshot taken by using a trial version of the HyperSnap.

The result? A “Created with HyperSnap 6. To avoid this stamp, buy a license” at the bottom of the screenshot, shown to everyone visiting a Koobface infected hosting serving it. The entire YouTube spoof was basically a
screenshot taken from a legitimate video page, with the spoofed Adobe
error message, being the only part of it that was clickable.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September

Data and real-time OSINT (open source intelligence) analysis speaks for itself. With ClickForensics establishing a connection between my “Ukrainian fan club” the Bahama botnet, and the malvertising attacks, the assessment of the incident further confirmed this connection based on historical OSINT gathered from their previous blackhat SEO campaigns.

The Koobface/Ukrainian fan club connection? The same redirector used in the NYTimes malvertising attack, was not only simultaneously found on Koobface infected hosts, but was also profiled a month earlier in the “Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign“, a blackhat SEO campaign maintained by them.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts

With Koobface representing a case-study on successful propagation across social networking sites, relying on social engineering only, in
November, for the first time ever, they conducted an experiment lasting several hours, where client-side ex... on Koobface infected hosts.

Sampled exploits included VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF, moreover, despite the Koobface gang’s claim — more on that claim and their bold sense of humor in an upcoming poing —
on the very same IP hosting the exploit serving domain, there was an
active Zeus crimeware campaign.

By embedding these particular domains, the gang also exposed an affiliation with an author of a popular web malware exploitation kit. Whether the experiment was meant to test its exploitation capabilities
before the gang would start serving exploits permanently remains
unknown. A few hours after their experiment was exposed, they suspended
it.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009

Remember the massive blackhat SEO campaign from November, 2009, where 1+ million web sites were found compromised and serving scareware?

Real-time monitoring of the campaign, and cross checking the data with real-time monitoring of Koobface activity revealed an interesting observation. The redirectors embedded on the compromised web sites, are also the sam..., both pushing scareware.


MORE





Views: 63

Comment

You need to be a member of 12160 Social Network to add comments!

Join 12160 Social Network

"Destroying the New World Order"

TOP CONTENT THIS WEEK

THANK YOU FOR SUPPORTING THE SITE!

mobile page

12160.info/m

12160 Administrators

 

Latest Activity

Less Prone favorited Burbia's video
2 hours ago
Less Prone replied to Burbia's discussion Trump Receives Marching Orders
"Bullets can be effective in reinforcing ownership."
4 hours ago
Burbia posted a discussion

Trump Receives Marching Orders

Netanyahu has made 3 visits to the White house since Trump's second term as President of the United…See More
9 hours ago
Burbia commented on Burbia's video
Thumbnail

Ben Shapiro Just LOST HIS MIND — There's No Coming Back From This

"Omg. The Ben Shapiro voice that Luke is imitating here couldn't be any more comedic to…"
18 hours ago
Burbia posted a video

Ben Shapiro Just LOST HIS MIND — There's No Coming Back From This

Get the magnesium your body needs - https://wearechange.shop/product/magnesium-glycinate/Ben Shapiro Just LOST HIS MIND — There's No Coming Back From ThisHig...
19 hours ago
cheeki kea posted photos
yesterday
Doc Vega posted blog posts
yesterday
Burbia posted a video

A few reasons I don’t like jews. It’s not complicated.

These are the reasons I became antisemitic. It’s not complicated. Sure, I could go on for days, weeks, months outlining everything, but I don’t need to. This...
Monday
Doc Vega commented on Doc Vega's blog post Unusual Discoveries and Headlines
"Less Prone, Thanks Buddy! I'd like to volunteer as a historical reconstructionist! "
Sunday
Less Prone left a comment for t.me/TheIntelligenceLibrary
"Welcome to a revolutionary concept in public communication, the truth."
Sunday
pohonemas33 team is now a member of 12160 Social Network
Sunday
Less Prone favorited cheeki kea's discussion Tartaria
Sunday
tjdavis's 2 blog posts were featured
Sunday
Doc Vega's 7 blog posts were featured
Sunday
Less Prone commented on Doc Vega's blog post Unusual Discoveries and Headlines
"Some incredible pieces of history!"
Sunday
Less Prone favorited Doc Vega's blog post Unusual Discoveries and Headlines
Sunday
tjdavis posted a blog post
Sunday
Doc Vega posted a blog post

First Week of July 1947 an Inflexion Point for Humanity!

The year is 1947 and sometime around July 4th the anniversary of the birth our nation, when a…See More
Saturday
Doc Vega commented on Doc Vega's blog post Government Issued Wearables? What’s Wrong With this Picture?
"cheeki kea Ha! Good one!"
Friday
tjdavis posted a video

This is Paris Now… You Won’t See This in the Tourist Brochures

In this video, I take you through Marché Barbès and its surrounding neighbourhoods — an area that reflects the modern, complex face of Paris most tourists ne...
Friday

© 2025   Created by truth.   Powered by

Badges  |  Report an Issue  |  Terms of Service

content and site copyright 12160.info 2007-2019 - all rights reserved. unless otherwise noted