It was a cold sunday so I decided to play a little bit with Koobfaceâ€™s captcha breaking infrastructure.
I asked myself: Is it be possible to poisoning Koobfaceâ€™s captcha breaking infrastructure by spoofing captcha results? As I documented in my post Koobface â€“ the social network trojan, the captcha breaking process used by trojan Koobface works as follow:
- A bot would like to create a spoofed account (on Blogspot, Facebook, Myspace or whatever)
- The register page is protected with a captcha – so the bot grabs and send it to the C&C Server (uuu20091124.info)
- Another infected computer asks the C&C server for work to do at the same time
- The C&C server sends the captcha to the infected client where the user of the computer solves the captcha
- The infected computer sends the result of the captcha back to the C&C
- The bot that originally sent the captcha now asks the C&C server if there is already a resolution for the captcha
- If so, the C&C server returns the result of the captcha back to the bot
- The bot can successfully register the spoofed account.
It’s pretty simple, so I decided to write a small script which simulates Koobfaceâ€™s captcha breaking module (v2captcha.exe) .
After writing some lines of code, I ran my script. The script just asks the C&C server for new captchas to break, generates spoofed captcha results and sends them back to the C&C server:
 190.xxx.xxx.xxx:80 -> badboys -> 21303101 -> Success (146)
 200.xxx.xxx.xxx:3128 -> badboys -> 21302809 -> Success (147)
 191.xxx.xxx.xxx:8090 -> badboys -> 21303105 -> Success (148)
 58.xxx.xxx.xxx:80 -> badboys -> 21302778 -> Success (149)
 71.xxx.xxx.xxx:3128 -> badboys -> 21302802 -> Success (150)
 64.xxx.xxx.xxx:8080 -> badboys -> 21302801 -> Success (151)
 212.xxx.xxx.xxx:81 -> badboys -> 21303079 -> Success (152)
 84.xxx.xxx.xxx:80 -> badboys -> 2130312 -> Success (153)
 93.xxx.xxx.xxx:8080 -> badboys -> 21303115 -> Success (154)
 77.xxx.xxx.xxx:3128 -> badboys -> 21302775 -> Success (155)
Some words about the output of the script: the value [xx] is the thread ID of the procees, followed by proxy:port, followed by a string (“badboys”) that’s returned as faked solution for the captcha, the TaskID (previously received from the C&C server), the response of the C&C server and finally the number of spoofed captchas so far:
To make sure that the spoofed captchas are really accepted by the Koobface Command&Control server (C&C), I just infected a computer with Koobfaceâ€™s Blogspot (v2newblogger.exe) module which is beeing used to create faked blogspot accounts. Afterwards I started my script again.
First of all the infected computer tries to register a new blogspot account. As excepted, the trojan grabs the captcha and sends it to the C&C server uuu20091124.info by using HTTP POST and calling the action save (a=save).
The C&C server responds with a HTTP 200 OK and returns a TaskID:
Date: Sun, 17 Jan 2010 16:12:19 GMT
Server: Apache/1.3.41 (Unix)
As you can see, the C&C server told the bot to use the TaskID 21300807 for further requests concerning this job.
In parallel, our script diligently asks for new tasks and “solves” them by sending a faked string back to the server. After a few seconds that looks like this:
 78.xxx.xxx.xxx:3128 -> badboys -> 21300812 -> Success (1331)
 200.xxx.xxx.xxx:81 -> badboys -> 21300807 -> Success (1332)
 41.xxx.xxx.xxx:8080 -> badboys -> 21300776 -> Success (1333)
 94.xxx.xxx.xxx:3128 -> Unsuccessful
 174.xxx.xxx.xxx:80 -> badboys -> 21300802 -> Success (1334)
Did you see it? Our script received the captcha with the TaskID 21300807 and has sent back the word “badboys” as resolution. That’s the captcha from our bot! Now let’s go back to the bot and check what answer it gets from the C&C server for the captcha submitted a few seconds before:
The bot asks the server if the captcha is already solved by calling the action “query” (a=query) and using the TaskID 21300807. The C&C server respond:
Server: Apache/1.3.41 (Unix)
Strike! The bot recived badboy as resolution of the captcha – the captcha spoofing works!
Let’s run our script for some more minutes:
Okey, that’s really nice. Within around 45 minutes more than 4’400 captchas could be spoofed!
You may ask yourself why the spoofing is so simple. There are several reasons:
- Koobface is not doing any authentification of the bot
- The C&C traffic is not encrypted/obfuscated in any way (plain text)
- The C&C servers does only send the captcha to one bot for solving instead of sending the same captcha to different bots and comparing the results
- There is no limit for sending results to the C&C server
- The server doesn’t even check if a returned task id was indeed assigned – you can just post any TaskID and the C&C server will accept it
Koobfaceâ€™s captcha breaking infrastrucutre is weak. Any IP address is allowed to send and receive tasks from Koobfaceâ€™s C&C servers. There is no authentification of the bot. So with a few simple lines of code you are able to disturbe Koobfaceâ€™s captcha breaking infrastructure massively so that captcha breaking process is no longer useful.
A positiv effect of the captcha result spoofing is that it prevents the bot from successfully creating faked accounts on blogspot, Facebook, Myspace etc. As a result of this and due to the fact that Koobface needs such faked accounts on social network to spread itself, the koobface infection vectore is broken.
As mentioned in my earlier post, it seems that the Koobface gang is offering a Captcha Decoder Servis. By disturbing the captcha breaking process the Koobface gang will lose money with every captcha which could not be successfully solved.
Happy captcha spoofing!