The Koobface botnet preys on social networking sites as its primary means of propagation. Unsuspecting victims browsing Facebook, Twitter, and other social networks are sent messages from users they believe to be friends. In truth, these users are either compromised accounts that fell for one of Koobface’s scams or fraudulent accounts created by Koobface. The messages sent by Koobface can be recovered by directly interacting with the Koobface C&C.
The Koobface botnet has unique spamming modules for a multitude of websites including Facebook, MySpace, Twitter, and Bebo. Despite this fact, the network level behaviour for each module follows a generic template:
POST /.sys/?action=[module name]&v=[version]
At the current time, Koobface supports 6 modules with varying version numbers. Sending a request with an outdated version will result in a signal to update the module. This can be avoided by using &v=200 for every request, (the version check is a simple less than statement), however, this is a noticeable perturbation from typical zombie behaviour.
fbgen | Facebook twgen | Twitter msgen | MySpace begen | Bebo tggen | ? higen | hi5
The responses from each POST are displayed below. Of the modules, only Facebook uses obfuscation. Each response contains a link and an associated message to spam.
POST /.sys/?action=fbgen&v=101 #BLACKLABEL #BLUELABEL e3 14 a5 17 2d ec a0 4c 94 a3 e2 aa 6c 7e bd a6 2e 84 c1 1c ca d4 fa 55 aa 3b cc 4b 8f d8 f7 28 0f 5d e2 2e 3f b7 f5 30 b5 d8 eb 89 66 f8 89 49 f6 4e 5a e5 0e 7d c2 bd
POST /.sys/?action=twgen&v=08 #BLACKLABEL TEXT_M|OMFG!! You must see this video!! :)) http://www.stevesummerhill.com/index.html/ TEXT_W|OMFG!! You must see this video!! :)) http://www.stevesummerhill.com/index.html/ TEXT_S| http://www.stevesummerhill.com/index.html/ #CACHE MD5|51da895e24b09bc45f6b461a107407ee
POST /.sys/?action=msgen&v=26 #BLACKLABEL SIMPLEMODE|1 FBTARGETPERPOST|15 TITLE_M|;) TEXT_M|WOW LINK_M|%3Ca%20href%3D%27http%3A//bit.ly/4NHlsT%27%3E I olve wathcing you opsing anked! TITLE_B|;) TEXT_B|Cooooool Video http://bit.ly/4NHlsT TEXT_C|Cool Video http://bit.ly/4NHlsT #CACHE MD5|f7fe75dc9a2fd0343bd62bdae9a709af #SAVED 2010-01-22 16:11:36
Each spam message provided by Koobface contains a link to a compromised website acting as a redirector to Koobface malware. For redundancy, each website is embedded with a list of 20 zombies to forward visitors towards. Given that zombies have unpredictable uptime, the compromised redirector acts as highly available intermediary, while zombies host the actual malware and social engineering attack.
Recovering the IP addresses of zombies pointed to by a redirector is fairly simple as its stored in a largely obfuscated manner:
var b6e = [ '86.' + '126.205.43', '68.36' + '.78.85', '19' + '0.213.31.133', '24.235.' + '129.182', '76' + '.249.244.80', '98.' + '221.155.223', '98' + '.208.114.221', '173' + '.31.203.53', '79.1' + '16.33.205', '74.130.' + '134.165', '88.165.' + '115.173', '67.24' + '4.2.122', '99.91' + '.48.26', '95.' + '35.211.92', '85.64' + '.111.111', '173.18' + '.98.113', '24' + '.99.82.56', '65.9' + '6.238.254', '173.' + '22.162.187', '76' + '.31.51.190', ''];
Once one of the zombies is determined to be available, a victim is redirected to a scam page modelled after Facebook or Youtube.