23 Mar Active Koobface C&C servers hit a record high – 200+ and counting Stefan Tanase
22 Mar Koobface C&C servers steadily dropping - new spike coming soon? Stefan Tanase
06 Aug Koobface update Stefan Tanase
06 Aug Twitter down Stefan Tanase
06 Aug New tricks for Koobface Stefan Tanase
14 Jul Koobface on the tweet Marco
Join our blog
You can contribute to our blog if you have +100 points. Comment on articles and blogposts, and other users will rate your comments. You receive points for positive ratings.
As I was saying in yesterday's blog post, we were expecting the number of Koobface C&C servers to start growing sometime this week:
"Cybercriminals don't want the number of C&C servers to drop too much, as that would mean losing their control over the botnet. So, if the earlier strategy of the Koobface gang is anything to go by, we should be seeing new servers being added to control the botnet soon, most probably this week."
And, guess what? Yesterday evening the Koobface gang started adding new
The total number of active Koobface C&C servers went from a low of 65 yesterday to over 200 at the time of writing – 225, to be precise. This is the most Koobface C&C servers we've ever seen in a 24-hour period, and we keep discovering new ones.
We've already started contacting the owners of the compromised websites to get the C&C servers taken down and cleaned up as quickly as possible.
Two weeks ago we recorded a surge in Koobface, the highly prolific worm infecting social networking sites. It targets sites such as Facebook and Twitter and uses compromised legitimate websites as proxies for its main command and control server.
From the beginning of March the live Koobface C&C servers, which are used to send out commands and updates to all the computers infected by the worm, were shut down or cleaned on average three times per day.
The number of C&C servers dropped steadily from 107 on February 25, to as low as 71 on March 8. Then, in just 48 hours, the number doubled. As you can see in the graph, 10 March was the peak, with 142 active Koobface C&C servers. After that, the number started to drop constantly. We witnessed an average of 5 servers being taken down every day.
Right now, the number is just below 70, the lowest it has been in over a month.
Cybercriminals don't want the number of C&C servers to drop too much, as that would mean losing their control over the botnet. So, if the earlier strategy of the Koobface gang is anything to go by, we should be seeing new servers being added to control the botnet soon, most probably this week.
We will continue to monitor the situation and let you know if there are any important developments.
Kaspersky Lab would like to provide a few tips for users:
Kaspersky Lab users running any of the Company’s current anti-malware products are fully protected from all known variants of Koobface.
The URL which Koobface was spreading from (see this post for an overview) has now been brought down so attacks are blocked.
As the previous attacks was reaching peak activity, Twitter went offline.
The guys at Twitter are yet unsure of the cause of the problem (http://status.twitter.com/post/157160617/site-is-down).
Most likely the Koobface attack and Twitter going down at the same time is just a coincidence - but hey, there's a good part about this story too: at least we're not seeing new malicious tweets anymore.
UPDATE:Seems Twitter has changed its IP address during the downtime we're currently seeing. The server is responsive to pings, but not HTTP requests. Signs of a DDoS attack?
UPDATE 2: Twitter has confirmed it is "fighting against" a denial-of-service attack.
Once again, there's a new wave of Koobface.
But this time, the tactics have changed. There's a new twist to the social engineering, with links from infected messages leading to a very well designed Facebook lookalike page (far more convincing than the previous YouTube page)
And Koobface is now sending unique tweets. Messages sent in previous attacks were all the same:
"My home video :) [URL]"
Now there's a random component being added, with strings like "HA-HA-HA!!", "W.O.W.", "WOW", "L.O.L.", "LOL", ";)" or "OMFG!!!" at the end of each tweet, so the malicious tweets look like this:
They are also adding a random component to the Koobface landing page so now, the URL gets shortened to a different bit.ly URL each time (see my post about the dangers of short URLs) making it harder for Twitter to filter and delete infected messages.
i.e. http://u*******.se/pub1icm0vies/?[RANDOM] -> http://bit.ly/[RANDOM]
This week everyone's been talking about how Twitter started to use the Google Safebrowsing API to block tweets containing malicious URLs. It is definitely going to stop some attacks, but as we're seeing with the current attack, it won't eradicate the problem completely. It's clearly a step forward, but a single swallow doesn't make a summer.
We detect the malicious binary as Net-Worm.Win32.Koobface.d and the script that is doing the redirect on the landing page as Trojan-Clicker.HTML.IFrame.ob.
Currently we’ve identified almost 100 unique IP addresses hosting Koobface. We'll keep you posted!
UPDATE: We're working on getting the main Koobface page taken down.
We are currently witnessing a new wave of Koobface messages flooding twitter. The message that is mostly used right now is: "My home video :) <URL>"
The script calls a php-script on a server which uses an ID to return an IP address leading to the video site. This means the IP address is different for every request.
Interestingly, the guys behind this attack are clearly out to maximize their ROI: if you're using Mac or Linux, you end up getting redirected to an adult site.
Twitter is saying it may block infected accounts. We're doing our part as well - our users are already protected from the malicious file:
And we've also added protection against the malicious tweet itself, which will be detected as Net-Worm.Win32.Koobface.aqy as updates are rolled out to our users.
In June, we saw an explosive rise in the number of Koobface modifications - the number of variants we detected jumped from 324 at the end of May to nearly 1000 by the end of June. And this weekend brought another flood, bringing us up to 1049 at the time of writing.
As we've said before, Koobface spreads via major social networking sites like Facebook and MySpace. It's now spreading via Twitter as well.
Normally the increase in the number of malicious programs slows a bit over the summer with lots of people (virus writers, cybercriminals etc.) taking a bit of time off. But in the case of Koobface, the opposite has happened. This is probably because cybercriminals have realized that spreading malware via social networking sites is very effective.
June 2009 is an important milestone in the history of social network malware; the activity we've seen this month far exceeds anything we've previous seen. With everyone who's anyone now having a Facebook page, Twitter account or similar, the pool of potential victims is growing day by day - just take a look at the Alexa stats for Facebook. So naturally, cybercriminals are going to be targeting these sites more and more often.