10 things you didn't know about the (Facebook) Koobface gang

Dancho Danchev







Click here to see a gallery of Koobface pranks

With Koobface continuing to spreading across Facebook by utilizing hundreds of compromised sites as infection vectors, next to using them as
distributed hosting infrastructure in an attempt to undermine potential
take down activities, a common misconception regarding the gang’s
activities shifts the attention from their true participating within
the underground ecosystem.

The intensive multitasking on behalf of the Koobface gang, next to the fact that the Koobface botnet is the tip of the iceberg for their malicious operations, prompts the publishing of this top 10 things you
didn’t know about the Koobface gang list.

Some are funny, others are disturbing, the majority indicate a cybercrime ecosystem that actively keeps itself up-to-date with the very latest research profiling it, by reading the blogs of security
vendors and researchers.

01. The gang is connected to, probably maintaining the click-fraud facilitating Bahama botnet

In September, 2009, researchers from ClickForensics established an interesting connection between the Bahama botnet — the name comes from the 200,000 parked domain sites located in the Bahamas where they were redirecting the traffic to — between what I
refer to as my “Ukrainian fan club” due to the offensive messages they were including in the redirectors every time I exposed and shut down one of their campaigns.

Malware samples pushed by the Koobface botnet, were modifying HOSTS..., in an attempt to redirect the user into a bogus Google featuring pharmaceutical ads, as well as related cybercrime-friendly search engines in order to monetize the hijacke.... The “Ukrainian fan club” itself, appears to be the blackhat SEO department for the Koobface gang, whose connections to the following
campaigns, as well as the multiple connections linking it to the then
centralized Koobface infrastructure, resulted in the take down of the Koobface-friendly Riccom LTD - AS29550 in December, 2009.

How did the gang respond? With a bold sense of humor.

02. Despite their steady revenue flow from sales of scareware, the gang once used trial software to take a screenshot of a YouTube video

Just when you start thinking that quality assurance is daily routine for these botnet masters, imagine my surprise when an October, 2009 spoof of YouTube page, was actually a screenshot taken by using a trial version of the HyperSnap.

The result? A “Created with HyperSnap 6. To avoid this stamp, buy a license” at the bottom of the screenshot, shown to everyone visiting a Koobface infected hosting serving it. The entire YouTube spoof was basically a
screenshot taken from a legitimate video page, with the spoofed Adobe
error message, being the only part of it that was clickable.

03. The Koobface gang was behind the malvertising attack the hit the web site of the New York Times in September

Data and real-time OSINT (open source intelligence) analysis speaks for itself. With ClickForensics establishing a connection between my “Ukrainian fan club” the Bahama botnet, and the malvertising attacks, the assessment of the incident further confirmed this connection based on historical OSINT gathered from their previous blackhat SEO campaigns.

The Koobface/Ukrainian fan club connection? The same redirector used in the NYTimes malvertising attack, was not only simultaneously found on Koobface infected hosts, but was also profiled a month earlier in the “Dissecting the Ongoing U.S Federal Forms Themed Blackhat SEO Campaign“, a blackhat SEO campaign maintained by them.

04. The gang conducted a several hours experiment in November, 2009 when for the first time ever client-side exploits were embedded on Koobface-serving compromised hosts

With Koobface representing a case-study on successful propagation across social networking sites, relying on social engineering only, in
November, for the first time ever, they conducted an experiment lasting several hours, where client-side ex... on Koobface infected hosts.

Sampled exploits included VBS/Psyme.BM; Exploit.Pidief.EX; Exploit.Win32.IMG-WMF, moreover, despite the Koobface gang’s claim — more on that claim and their bold sense of humor in an upcoming poing —
on the very same IP hosting the exploit serving domain, there was an
active Zeus crimeware campaign.

By embedding these particular domains, the gang also exposed an affiliation with an author of a popular web malware exploitation kit. Whether the experiment was meant to test its exploitation capabilities
before the gang would start serving exploits permanently remains
unknown. A few hours after their experiment was exposed, they suspended
it.

05. The Koobface gang was behind the massive (1+ million affected web sites) scareware serving campaign in November, 2009

Remember the massive blackhat SEO campaign from November, 2009, where 1+ million web sites were found compromised and serving scareware?

Real-time monitoring of the campaign, and cross checking the data with real-time monitoring of Koobface activity revealed an interesting observation. The redirectors embedded on the compromised web sites, are also the sam..., both pushing scareware.


MORE





Views: 63

Comment

You need to be a member of 12160 Social Network to add comments!

Join 12160 Social Network

"Destroying the New World Order"

TOP CONTENT THIS WEEK

THANK YOU FOR SUPPORTING THE SITE!

mobile page

12160.info/m

12160 Administrators

 

Latest Activity

tjdavis posted a video

Charlie Kirk: Grief And Outrage From Turning Point USA in Phoenix

We went to Charlie Kirk's Turning Point USA headquarters in Phoenix to talk with people who were there to pay their respects.►Join my community to get exclus...
8 hours ago
Doc Vega posted blog posts
9 hours ago
Burbia commented on Doc Vega's blog post This Memorable Anthem Given by Nick Freitas Hit the Nail on the Head Please Listen!
14 hours ago
Doc Vega posted blog posts
yesterday
Doc Vega commented on Doc Vega's blog post A Few More Rats in Your Skull Concerning Charlie and the Rampaging Left
"cheeki kea, Yes that was released on to book sites 19 hours before the tragic event and also there…"
yesterday
Burbia commented on Sandy's video
yesterday
Sandy posted a video

Charlie Kirk Was Terrified Of Israel

Enjoy the videos and music you love, upload original content, and share it all with friends, family, and the world on YouTube.
yesterday
Sandy posted a photo
yesterday
cheeki kea commented on Doc Vega's blog post A Few More Rats in Your Skull Concerning Charlie and the Rampaging Left
"The internet is fractioned that's for sure but it never sleeps and the big question of the day…"
Friday
Burbia commented on Doc Vega's blog post A Few More Rats in Your Skull Concerning Charlie and the Rampaging Left
"It seems America has many meanings to many people. The internet has fractioned everybody. I had…"
Thursday
Doc Vega commented on Doc Vega's blog post Plausible Explanation Behind Recent Cryptid Sightings in the Wild!
"Cheeki kea I'm glad that the giant Moa downsized to this turkey looking land walker.!"
Thursday
Burbia commented on Burbia's blog post Charlie Kirk Assaination
"I don't know what difference if any that he was also a member of Council for National Policy.…"
Thursday
Doc Vega commented on Burbia's blog post Charlie Kirk Assaination
"I remember when they found out that the united Council of Churches worldwide had been funding…"
Thursday
Doc Vega posted a blog post

A Few More Rats in Your Skull Concerning Charlie and the Rampaging Left

 Political violence and death has been perpetrated for a long time now in America. The Democrats…See More
Thursday
Burbia posted a blog post

Charlie Kirk Assaination

September 10th 2025 in Utah Turning Point USA CEO has been assassinated. Coincidentally,  answering…See More
Thursday
Doc Vega posted a blog post

Bow to Your New Masters

 Dr. Jerome Corsi reports that the discovery of a new wireless system that can corrupt any…See More
Tuesday
cheeki kea commented on Doc Vega's blog post Plausible Explanation Behind Recent Cryptid Sightings in the Wild!
"Wow I never knew penguins got down sized also over time. I knew of the Moa which is really now a…"
Tuesday
Sandy posted a video

Civalyze meme

meme ad for a fake drug that would do away with black fatiguecivilyze you're not racist your just exhausted
Monday
Burbia posted a blog post

Is the Timing of Alex Jones and Charlie Sheen Connected?

Alex Jones is sperging out.Charlie Sheen is coming out of the closet.Is this why Alex Jones is…See More
Sep 6
Doc Vega posted a blog post

Buying the Last haunted House on the Left (A partial autobiography)

Note to the reader, there are events here that are true and some that are fictional.Chapter IIt was…See More
Sep 5

© 2025   Created by truth.   Powered by

Badges  |  Report an Issue  |  Terms of Service

content and site copyright 12160.info 2007-2019 - all rights reserved. unless otherwise noted