Koobface Spam

The Koobface botnet preys on social networking sites as its primary means of propagation. Unsuspecting victims browsing Facebook, Twitter, and other social networks are sent messages from users they believe to be friends. In truth, these users are either compromised accounts that fell for one of Koobface’s scams or fraudulent accounts created by Koobface. The messages sent by Koobface can be recovered by directly interacting with the Koobface C&C.

Spamming Modules

The Koobface botnet has unique spamming modules for a multitude of websites including Facebook, MySpace, Twitter, and Bebo. Despite this fact, the network level behaviour for each module follows a generic template:

POST /.sys/?action=[module name]&v=[version]

At the current time, Koobface supports 6 modules with varying version numbers. Sending a request with an outdated version will result in a signal to update the module. This can be avoided by using &v=200 for every request, (the version check is a simple less than statement), however, this is a noticeable perturbation from typical zombie behaviour.

fbgen | Facebook
twgen | Twitter
msgen | MySpace
begen | Bebo
tggen | ?
higen | hi5

The responses from each POST are displayed below. Of the modules, only Facebook uses obfuscation. Each response contains a link and an associated message to spam.

POST /.sys/?action=fbgen&v=101
e3 14 a5 17 2d ec a0 4c 94 a3 e2 aa 6c 7e bd a6
2e 84 c1 1c ca d4 fa 55 aa 3b cc 4b 8f d8 f7 28
0f 5d e2 2e 3f b7 f5 30 b5 d8 eb 89 66 f8 89 49
f6 4e 5a e5 0e 7d c2 bd


POST /.sys/?action=twgen&v=08 

TEXT_M|OMFG!! You must see this video!! :))
TEXT_W|OMFG!! You must see this video!! :))
TEXT_S| http://www.stevesummerhill.com/index.html/
#CACHE MD5|51da895e24b09bc45f6b461a107407ee


POST /.sys/?action=msgen&v=26

I olve wathcing you opsing anked!
TEXT_B|Cooooool Video http://bit.ly/4NHlsT
TEXT_C|Cool Video http://bit.ly/4NHlsT

#SAVED 2010-01-22 16:11:36

Compromised Redirectors

Each spam message provided by Koobface contains a link to a compromised website acting as a redirector to Koobface malware. For redundancy, each website is embedded with a list of 20 zombies to forward visitors towards. Given that zombies have unpredictable uptime, the compromised redirector acts as highly available intermediary, while zombies host the actual malware and social engineering attack.

Recovering the IP addresses of zombies pointed to by a redirector is fairly simple as its stored in a largely obfuscated manner:

var b6e = [
'86.' + '126.205.43',
'68.36' + '.78.85',
'19' + '',
'24.235.' + '129.182',
'76' + '.249.244.80',
'98.' + '221.155.223',
'98' + '.208.114.221',
'173' + '.31.203.53',
'79.1' + '16.33.205',
'74.130.' + '134.165',
'88.165.' + '115.173',
'67.24' + '4.2.122',
'99.91' + '.48.26',
'95.' + '35.211.92',
'85.64' + '.111.111',
'173.18' + '.98.113',
'24' + '.99.82.56',
'65.9' + '6.238.254',
'173.' + '22.162.187',
'76' + '.31.51.190',

Once one of the zombies is determined to be available, a victim is redirected to a scam page modelled after Facebook or Youtube.