Tag Archive for 'v2newblogger.exe'

Breaking Koobface’s Captcha Solving Process

It was a cold sunday so I decided to play a little bit with Koobface’s captcha breaking infrastructure.

I asked myself: Is it be possible to poisoning Koobface’s captcha breaking infrastructure by spoofing captcha results? As I documented in my post Koobface – the social network trojan, the captcha breaking process used by trojan Koobface works as follow:

  1. A bot would like to create a spoofed account (on Blogspot, Facebook, Myspace or whatever)
  2. The register page is protected with a captcha – so the bot grabs and send it to the C&C Server (uuu20091124.info)
  3. Another infected computer asks the C&C server for work to do at the same time
  4. The C&C server sends the captcha to the infected client where the user of the computer solves the captcha
  5. The infected computer sends the result of the captcha back to the C&C
  6. The bot that originally sent the captcha now asks the C&C server if there is already a resolution for the captcha
  7. If so, the C&C server returns the result of the captcha back to the bot
  8. The bot can successfully register the spoofed account.

It’s pretty simple, so I decided to write a small script which simulates Koobface’s captcha breaking module (v2captcha.exe) .

After writing some lines of code, I ran my script. The script just asks the C&C server for new captchas to break, generates spoofed captcha results and sends them back to the C&C server:

[17] 89.xxx.xxx.xx:3128 -> badboys -> 21303067 -> Success (145)
[16] 190.xxx.xxx.xxx:80 -> badboys -> 21303101 -> Success (146)
[10] 200.xxx.xxx.xxx:3128 -> badboys -> 21302809 -> Success (147)
[12] 191.xxx.xxx.xxx:8090 -> badboys -> 21303105 -> Success (148)
[18] 58.xxx.xxx.xxx:80 -> badboys -> 21302778 -> Success (149)
[22] 71.xxx.xxx.xxx:3128 -> badboys -> 21302802 -> Success (150)
[5] 64.xxx.xxx.xxx:8080 -> badboys -> 21302801 -> Success (151)
[19] 212.xxx.xxx.xxx:81 -> badboys -> 21303079 -> Success (152)
[1] 84.xxx.xxx.xxx:80 -> badboys -> 2130312 -> Success (153)
[8] 93.xxx.xxx.xxx:8080 -> badboys -> 21303115 -> Success (154)
[4] 77.xxx.xxx.xxx:3128 -> badboys -> 21302775 -> Success (155)

Some words about the output of the script: the value [xx] is the thread ID of the procees, followed by proxy:port, followed by a string (“badboys”) that’s returned as faked solution for the captcha, the TaskID (previously received from the C&C server), the response of the C&C server and finally the number of spoofed captchas so far:

[ThreadID] proxy:port -> spoofed captcha result -> TaskID -> status (counter)

To make sure that the spoofed captchas are really accepted by the Koobface Command&Control server (C&C), I just infected a computer with Koobface’s Blogspot (v2newblogger.exe) module which is beeing used to create faked blogspot accounts. Afterwards I started my script again.

First of all the infected computer tries to register a new blogspot account. As excepted, the trojan grabs the captcha and sends it to the C&C server uuu20091124.info by using HTTP POST and calling the action save (a=save).

POST /captcha/?a=save&b=goo HTTP/1.0
Host: uuu20091124.info
Content-Type: binary/octet-stream
Connection: close
Content-Length: 2762

The C&C server responds with a HTTP 200 OK and returns a TaskID:

HTTP/1.1 200 OK
Date: Sun, 17 Jan 2010 16:12:19 GMT
Server: Apache/1.3.41 (Unix)
Cache-Control: no-cache
Connection: close
Content-Type: text/html

21300807

As you can see, the C&C server told the bot to use the TaskID 21300807 for further requests concerning this job.

In parallel, our script diligently asks for new tasks and “solves” them by sending a faked string back to the server. After a few seconds that looks like this:

[9] 189.xxx.xxx.xxx:3128 -> badboys-> 21300821 -> Success (1330)
[22] 78.xxx.xxx.xxx:3128 -> badboys -> 21300812 -> Success (1331)
[4] 200.xxx.xxx.xxx:81 -> badboys -> 21300807 -> Success (1332)
[3] 41.xxx.xxx.xxx:8080 -> badboys -> 21300776 -> Success (1333)
[14] 94.xxx.xxx.xxx:3128 -> Unsuccessful
[4] 174.xxx.xxx.xxx:80 -> badboys -> 21300802 -> Success (1334)

Did you see it? Our script received the captcha with the TaskID 21300807 and has sent back the word “badboys” as resolution. That’s the captcha from our bot! Now let’s go back to the bot and check what answer it gets from the C&C server for the captcha submitted a few seconds before:

GET /captcha/?a=query&b=goo&id=21300807 HTTP/1.0
Host: uuu20091124.info
Connection: close

The bot asks the server if the captcha is already solved by calling the action “query” (a=query) and using the TaskID 21300807. The C&C server respond:

HTTP/1.1 200 OK
Server: Apache/1.3.41 (Unix)
Cache-Control: no-cache
Connection: close
Content-Type: text/html

3|badboy

Strike! The bot recived badboy as resolution of the captcha – the captcha spoofing works!
Let’s run our script for some more minutes:

2297 seconds elapsed, spoofed 4438 captchas (119 unsuccessful).

Okey, that’s really nice. Within around 45 minutes more than 4’400 captchas could be spoofed!

You may ask yourself why the spoofing is so simple. There are several reasons:

  • Koobface is not doing any authentification of the bot
  • The C&C traffic is not encrypted/obfuscated in any way (plain text)
  • The C&C servers does only send the captcha to one bot for solving instead of sending the same captcha to different bots and comparing the results
  • There is no limit for sending results to the C&C server
  • The server doesn’t even check if a returned task id was indeed assigned – you can just post any TaskID and the C&C server will accept it

Conclusion
Koobface’s captcha breaking infrastrucutre is weak. Any IP address is allowed to send and receive tasks from Koobface’s C&C servers. There is no authentification of the bot. So with a few simple lines of code you are able to disturbe Koobface’s captcha breaking infrastructure massively so that captcha breaking process is no longer useful.

A positiv effect of the captcha result spoofing is that it prevents the bot from successfully creating faked accounts on blogspot, Facebook, Myspace etc. As a result of this and due to the fact that Koobface needs such faked accounts on social network to spread itself, the koobface infection vectore is broken.

As mentioned in my earlier post, it seems that the Koobface gang is offering a Captcha Decoder Servis. By disturbing the captcha breaking process the Koobface gang will lose money with every captcha which could not be successfully solved.

Happy captcha spoofing! :P




economics-recluse
Scene
Urgent!