Christmas themed Koobface breaks CAPTCHAs

December 11, 2009

A new variant of Koobface worm was found in the wild. This time around the fake video poses as a message from Santa.

Koobface is a worm that shows up in fake messages from "friends" that encourage users to click on a malicious link that can steal user ID and password information, and be used to spread the worm. Koobface is constantly changing to avoid detection, or as we call it 'highly polymorphic,' with over 20,000 variations to date. We have previously SonicAlerted on it here.

It searches Internet Explorer's cache of cookies, looking for any relating to the following social networking websites:

  • bebo.com
  • facebook.com
  • friendster.com
  • fubar.com
  • hi5.com
  • livejournal.com
  • myspace.com
  • netlog.com
  • tagged.com
  • twitter.com

There are major enhancements in this new variant of Koobface:

  1. It is able to break CAPTCHAs to register new google blogger accounts and send facebook messages. The CAPTCHA trick appears as a Windows warning that the system will be shut down unless they enter the CAPTCHA code displayed. If the shutdown timer hits zero, the system is locked until the code is entered. Once entered, the code is sent to a server where the information is later used for account creation.

  2. It has 3 stages of redirection - links in facebook messages go to bit.ly or blogspot URLs, which in turn forward to a hijacked pages with JavaScript, which will finally forward to the Koobface webserver pages (fake video social engineering).

  3. In the spam subjects and messages, it uses a clever trick to double some random letters to avoid signature detection but preserve readability.

     #BLACKLABEL FBTARGETPERPOST|20 TEXT_S|You mmust see thiss videoo now!! It''s the bbest one!! http://mopxopviexxx.com/983/ MD5|1822ec77fe9039ac2091299df8582c0f TEXT_S|You mmust see thiss vvideo noow! It''s the besst oone! http://tamara.ziegxxx.com/602/ MD5|7554b2b9e71763bc3ea9fb4cfad03594

  4. It registers new Google blogger accounts and creates blog posts using top news headlines from Google News. It also creates new Google Reader pages to spread itself.

  5. The infected machine doesn't contact the C&C server directly but instead uses other infected nodes as redirectors/proxies which will forward the request from the infected client to the real Command&Control server (C&C).

SonicWALL Gateway AntiVirus provides protection against this malware via signatures in the following table.
The Koobface worm consists of these modules:

Filename Description Sonicwall GAV signature
v2webserver.exe Koobface webserver GAV: Koobface.CSI (Trojan)
v2captcha.exe CAPTCHA breaker GAV: Koobface.DR (Worm)
v2googlecheck.exe checks Facebook for blocked URLs GAV: Small.ANLX (Trojan)
v2prx.exe Proxy and DNS Blocker GAV: Koobface.gen_2 (Trojan)
v2newblogger.exe Makes Blogspot accounts GAV: Vilsel.MBS (Trojan)
v2reader.exe Makes Google Reader pages GAV: Koobface.NCI_2 (Worm)
ff2ie.exe Cookie Converter GAV: Koobface.BSE (Worm)
ld15.exe Koobface loader GAV: Koobface.ATJ (Worm)
fb75.exe Facebook propagation GAV: Koobface.CMN (Trojan)
pp.12.exe Popup ads and FAKEAV installer GAV: Koobface.CSK (Worm)