Koobface campaign spread through Blogspot
A massive campaign to spread the worm is Koobface In-the-Wild using blogs as a strategy generated from the Blogspot service.
Koobface has become a nightmare for social networks and even though its propagation strategies do not change, this malware is almost two years of activity with a significant rate of infection, making it one of the largest botnets today.
Koobface has become a nightmare for social networks and even though its propagation strategies do not change, this malware is almost two years of activity with a significant rate of infection, making it one of the largest botnets today.
Blogspot domains used as cover for the spread are:
pannullonumair.blogspot.com
haladynalatosha.blogspot.com
macdougalmuskan.blogspot.com
mailletjamaica.blogspot.com
ledrewrooney.blogspot.com
brasenoktayoktay.blogspot.com
toludestany.blogspot.com
edgarbillison.blogspot.com
piotrowiczlyanne.blogspot.com
brochoiredeedee.blogspot.com
decuyperantohny.blogspot.com
derrenpassini.blogspot.com
elsenelsenumthun.blogspot.com
elsyelsysalah.blogspot.com
fanjonappuappu.blogspot.com
fredrikadantos.blogspot.com
genelleabril.blogspot.com
gilkerharjyot.blogspot.com
hadzilashawn.blogspot.com
insalacotecwyn.blogspot.com
janitasaels.blogspot.com
jodelinscheufler.blogspot.com
jones-allentammey.blogspot.com
jurgisbooty.blogspot.com
karanjeetisoardi.blogspot.com
dralleboyeboye.blogspot.com
maidenhermann.blogspot.com
messer-bustamantetimpriss.blogspot.com
murachaniananoushka.blogspot.com
nevnevsculthorpe.blogspot.com
parrisvistisen.blogspot.com
porierkunlekunle.blogspot.com
rotermundraimon.blogspot.com
sharonyacorvil.blogspot.com
sodorabardan.blogspot.com
tendaiblunk.blogspot.com
turskeybrianna.blogspot.com
zhuochengbate-pelletier.blogspot.com
ziziziziboyter.blogspot.com
Who accesses one of these domains redirected to a page that simulates the typical YouTube screen. We then see a catch.
Immediately after, try to download a binary called "setup.exe" (md5 6d8ac41c64137c91939cced16cb5f2fe) which has a low average detection rate. This binary, in turn takes care of downloading and executing other malicious code.
v2prx.exe (36/41 - 87.80%)- go.exe (7/41 - 17.07%)
- fb.75.exe (22/41 - 53.66%)
- v2newblogger.exe (36/41 - 87.80%)
- v2captcha.exe (39/41 - 95.12%)
- v2googlecheck.exe (40/41 - 97.56%)
The binary v2captcha.exe handles breaking the captcha that asks for registration blogspot blogs, creating massive randomly and the same, and then redirected to the download of Koobface through, as I mentioned at the beginning, a false YouTube page that uses the same visual social engineering approach used in other campaigns similar spread.
Undoubtedly Koobface is another malicious code that uses persistence despite many of its variants are detected by most antivirus companies.
Undoubtedly Koobface is another malicious code that uses persistence despite many of its variants are detected by most antivirus companies.
Related information
Symbiosis malware present. Koobface
Jorge Mieres
0 comentarios:
Post a Comment