Koobface is a well-discussed computer worm that tries to infect users using social engineering attacks. Koobface mainly abuses popular social-networking websites such as Facebook, Twitter, Bebo and Myspace.

In this post I’ll describe another, less discussed, distribution tactic of this malware - using SEO techniques. In this scenario, the malware automatically creates BlogSpot accounts and populate it with the latest news using Google news feed. It means that the trap-site contains up-to-date content with some of the most popular search terms.

The blog shown above is an example of such an account that was automatically created by Koobface. In addition to the news feed, the malware also adds a script that redirects the victim to a malicious website that tries to install the Trojan.

 Following is a code snippet of the malicious script:

The user is redirected to a fake Facebook page:
http://mi[--REMOVED--]09.com/go/fb.php

In order to see the video, the user is asked to “Upgrade” his Flash Player.  Needless to say, any click on this page will dupe the user to download the malware...

Once the malware is downloaded, it tries to create new accounts in various websites. To do that,   it needs to overcome a security mechanism called CAPTCHA  ("Completely Automated Public Turing test to tell Computers and Humans Apart") that is present  on many websites and is designed to prevent  computer programs from performing certain sensitive actions such as creating new accounts.
 Following are the actions created by the malware

The Koobface tactic for bypassing the CAPTCHA test is simple – it challenges its infected users with this test by presenting the window showing below.  The user is prompted to enter the word(s) in the image or his machine will shut down. The CAPTCHA image is sent to the victim by the C&C server.

The virus darkens the background and leaves the user no other option  than to insert the code in the CAPTCHA  within 3 minutes or else it will shut down his computer (we tested it:  it  doesn’t shut down the machine:)).

Does this CAPTCHA look familiar? Let me give you a hint....

Indeed, the above shown CAPTCHA picture is taken from Twitter’s account creation form. Several other popular websites, such as Bebo, Gmail, and Blogger are being abused in similar manner.

Here is another example. This time, the CAPTCHA is part of a Gmail account creation:

Koobface, installed on the victim machine, gets a CAPTCHA challenge by Gmail:

The virus sends the CAPTCHA to the C&C server:

The process might take several seconds, depending how fast the person on another infected machine is inserting the code of the CAPTCHA.
The malware keeps asking the C&C for the code, until it receives it:

Once the code is retrieved, the process continues and the new account is created:

As can be seen in the Fiddler dump above, the malware used the retrieved code from the C&C to successfully create the Gmail account.  I can even log into the account using the credential above...

The malware continues working and it is going to create its own blog post using the email it created. It is now going to open a blog on Blogger.com:

Firstly, as can be seen in Fiddler dump, it accesses to:
http://news.google.com/?output=rss
The virus takes the latest news results from Google which will be used to create the blog post.

Following that, it accesses Blogger.com to create a new blog post.

Shown here is the blog post that the malware created just like the one we have seen at the beginning of this post.

The cybercriminals use a webservice to collect some statistics.  Below you can see the number of unique users who reached these pages in the last couple of days:

As can be seen in the Referrer statistics above, the users are reaching the malware webpage from different websites, while each URL is using a different social engineering technique to trick the user.

There is no doubt that the technique works – more than 150,000 users reached the malware webpage in just 2 days!

Posted by Daniel Chechik