By: ThreatLabz

Koobface Worm Hits On Weekend – Increase In New C&C Servers

Malware

On Sunday 14th 2010, Zscaler detected a large number of Koobface worm transactions over the Internet. Koobface is a computer worm, which was first found in December 2008 and is still spreading heavily. The Koobface worm targets popular social networking sites such as Facebook, MySpace, Twitter, etc. Once infected, the worm downloads additional malware on the user machine. It spread via sending messages to the friend list of the infected user. We have seen a lot of Koobface activity in the past where numbers of new domains are used to download malicious binaries. Yesterday, we saw an increase in network traffic of the Koobface worm to 122 unique C&C servers.
 
Weekends are busy social networking days for users, and the Koobface worm presumably took advantage of this. The simple scenario is described below,
The worm spreads via social engineering attack. User visits the infected friend’s profile and then clicks on the link. Then the link shows the video being displayed but shows error message like “your flash player is out of date” and you have to download new update. The innocent user clicks on the download link thinking that it is real update for flash player and ends up getting the worm on their system. We saw increase in unique C&C servers from last few days and sudden increase on Sunday. Here is the chart showing the number of unique domains used per day for last week,

Here is the list of unique C&C servers used on March 14th,

hxxp://74.217.128.97/.sys/?action=fbgen&v=103&crc=669
hxxp://85.13.206.114/.sys/?action=fbgen&v=103&crc=669
hxxp://207.217.125.50/.sys/?action=fbgen&v=103&crc=669
hxxp://75.125.232.130/.sys/?action=fbgen&v=103&crc=669
hxxp://70.35.30.26/.sys/?action=fbgen&v=103&crc=669
hxxp://67.139.134.203/.sys/?action=fbgen&v=103&crc=669
hxxp://82.165.204.43/.sys/?action=fbgen&v=103&crc=669
hxxp://87.106.152.181/.sys/?action=fbgen&v=103&crc=669
hxxp://66.96.146.81/.sys/?action=fbgen&v=103&crc=669
hxxp://89.188.141.15/.sys/?action=fbgen&v=103&crc=669
hxxp://208.93.192.2/.sys/?action=fbgen&v=103&crc=669
hxxp://74.63.154.248/.sys/?action=fbgen&v=103&crc=669
hxxp://207.150.212.12/.sys/?action=fbgen&v=103&crc=669
hxxp://193.93.174.152/.sys/?action=fbgen&v=103&crc=669
hxxp://212.36.74.250/.sys/?action=fbgen&v=103&crc=669
hxxp://91.186.25.40/.sys/?action=fbgen&v=103&crc=669
hxxp://85.17.169.7/.sys/?action=fbgen&v=103&crc=669
hxxp://212.227.33.27/.sys/?action=fbgen&v=103&crc=669
hxxp://212.79.87.27/.sys/?action=fbgen&v=103&crc=669
hxxp://203.206.137.137/.sys/?action=fbgen&v=103&crc=669
hxxp://72.52.191.187/.sys/?action=fbgen&v=103&crc=669
hxxp://206.51.236.165/.sys/?action=fbgen&v=103&crc=669
hxxp://209.59.147.182/.sys/?action=fbgen&v=103&crc=669
hxxp://193.227.103.20/.sys/?action=fbgen&v=103&crc=669
hxxp://193.93.174.173/.sys/?action=fbgen&v=103&crc=669
hxxp://207.150.212.23/.sys/?action=fbgen&v=103&crc=669
hxxp://195.225.168.238/.sys/?action=fbgen&v=103&crc=669
hxxp://88.208.252.192/.sys/?action=fbgen&v=103&crc=669
hxxp://72.9.250.162/.sys/?action=fbgen&v=103&crc=669
hxxp://200.62.54.122/.sys/?action=fbgen&v=103&crc=669
hxxp://203.116.95.196/.sys/?action=fbgen&v=103&crc=669
hxxp://204.246.156.62/.sys/?action=fbgen&v=103&crc=669
hxxp://193.227.103.44/.sys/?action=fbgen&v=103&crc=669
hxxp://216.177.193.194/.sys/?action=fbgen&v=103&crc=669
hxxp://81.223.238.227/.sys/?action=fbgen&v=103&crc=669
hxxp://80.74.152.80/.sys/?action=fbgen&v=103&crc=669
hxxp://66.252.239.235/.sys/?action=fbgen&v=103&crc=669
hxxp://77.95.248.53/.sys/?action=fbgen&v=103&crc=669
hxxp://72.167.131.16/.sys/?action=fbgen&v=103&crc=669
hxxp://77.73.98.102/.sys/?action=fbgen&v=103&crc=669
hxxp://70.35.16.246/.sys/?action=fbgen&v=103&crc=669
hxxp://213.165.76.42/.sys/?action=fbgen&v=103&crc=669
hxxp://82.165.216.103/.sys/?action=fbgen&v=103&crc=669
hxxp://65.39.133.25/.sys/?action=fbgen&v=103&crc=669
hxxp://210.193.49.224/.sys/?action=fbgen&v=103&crc=669
hxxp://68.178.254.134/.sys/?action=fbgen&v=103&crc=669
hxxp://82.165.78.116/.sys/?action=fbgen&v=103&crc=669
hxxp://64.71.33.197/.sys/?action=fbgen&v=103&crc=669
hxxp://64.71.33.74/.sys/?action=fbgen&v=103&crc=669
hxxp://8.21.33.134/.sys/?action=fbgen&v=103&crc=669
hxxp://72.167.131.153/.sys/?action=fbgen&v=103&crc=669
hxxp://67.205.36.101/.sys/?action=fbgen&v=103&crc=669
hxxp://203.146.170.138/.sys/?action=fbgen&v=103&crc=669
hxxp://80.179.155.151/.sys/?action=fbgen&v=103&crc=669
hxxp://91.121.112.18/.sys/?action=fbgen&v=103&crc=669
hxxp://63.135.106.240/.sys/?action=fbgen&v=103&crc=669
hxxp://67.227.177.47/.sys/?action=fbgen&v=103&crc=669
hxxp://209.200.55.156/.sys/?action=fbgen&v=103&crc=669
hxxp://122.201.81.28/.sys/?action=fbgen&v=103&crc=669
hxxp://72.9.224.210/.sys/?action=fbgen&v=103&crc=669
hxxp://96.30.24.92/.sys/?action=fbgen&v=103&crc=669
hxxp://63.247.72.82/.sys/?action=fbgen&v=103&crc=669
hxxp://203.174.82.20/.sys/?action=fbgen&v=103&crc=669
hxxp://64.71.33.35/.sys/?action=fbgen&v=103&crc=669
hxxp://212.78.89.54/.sys/?action=fbgen&v=103&crc=669
hxxp://72.167.183.94/.sys/?action=fbgen&v=103&crc=669
hxxp://80.196.52.177/.sys/?action=fbgen&v=103&crc=669
hxxp://65.36.242.101/.sys/?action=fbgen&v=103&crc=669
hxxp://64.118.82.32/.sys/?action=fbgen&v=103&crc=669
hxxp://82.165.218.132/.sys/?action=fbgen&v=103&crc=669
hxxp://209.114.220.8/.sys/?action=fbgen&v=103&crc=669
hxxp://205.234.132.8/.sys/?action=fbgen&v=103&crc=669
hxxp://66.63.192.22/.sys/?action=fbgen&v=103&crc=669
hxxp://88.85.75.140/.sys/?action=fbgen&v=103&crc=669
hxxp://69.10.155.198/.sys/?action=fbgen&v=103&crc=669
hxxp://208.109.181.217/.sys/?action=fbgen&v=103&crc=669
hxxp://81.201.129.126/.sys/?action=fbgen&v=103&crc=669
hxxp://87.118.73.178/.sys/?action=fbgen&v=103&crc=669
hxxp://91.121.216.40/.sys/?action=fbgen&v=103&crc=669
hxxp://85.158.181.27/.sys/?action=fbgen&v=103&crc=669
hxxp://67.141.47.21/.sys/?action=fbgen&v=103&crc=669
hxxp://194.185.27.130/.sys/?action=fbgen&v=103&crc=669
hxxp://89.106.12.55/.sys/?action=fbgen&v=103&crc=669
hxxp://83.101.16.60/.sys/?action=fbgen&v=103&crc=669
hxxp://65.89.55.2/.sys/?action=fbgen&v=103&crc=669
hxxp://89.255.9.102/.sys/?action=fbgen&v=103&crc=669
hxxp://208.109.138.156/.sys/?action=fbgen&v=103&crc=669
hxxp://66.96.146.82/.sys/?action=fbgen&v=103&crc=669
hxxp://213.171.219.195/.sys/?action=fbgen&v=103&crc=669
hxxp://216.180.225.10/.sys/?action=fbgen&v=103&crc=669
hxxp://208.87.242.66/.sys/?action=fbgen&v=103&crc=669
hxxp://213.189.197.30/.sys/?action=fbgen&v=103&crc=669
hxxp://66.223.111.166/.sys/?action=fbgen&v=103&crc=669
hxxp://212.12.112.25/.sys/?action=fbgen&v=103&crc=669
hxxp://82.165.207.69/.sys/?action=fbgen&v=103&crc=669
hxxp://72.167.131.131/.sys/?action=fbgen&v=103&crc=669
hxxp://208.82.11.2/.sys/?action=fbgen&v=103&crc=669
hxxp://94.75.226.133/.sys/?action=fbgen&v=103&crc=669
hxxp://77.72.71.43/.sys/?action=fbgen&v=103&crc=669
hxxp://87.118.67.21/.sys/?action=fbgen&v=103&crc=669
hxxp://207.150.212.89/.sys/?action=fbgen&v=103&crc=669
hxxp://85.159.63.145/.sys/?action=fbgen&v=103&crc=669
hxxp://67.192.124.34/.sys/?action=fbgen&v=103&crc=669
hxxp://195.225.236.90/.sys/?action=fbgen&v=103&crc=669
hxxp://94.102.219.71/.sys/?action=fbgen&v=103&crc=669
hxxp://78.46.7.50/.sys/?action=fbgen&v=103&crc=669
hxxp://67.227.223.120/.sys/?action=fbgen&v=103&crc=669
hxxp://203.98.91.195/.sys/?action=fbgen&v=103&crc=669
hxxp://194.192.14.146/.sys/?action=fbgen&v=103&crc=669
hxxp://174.37.216.1/.sys/?action=fbgen&v=103&crc=669
hxxp://208.109.181.59/.sys/?action=fbgen&v=103&crc=669
hxxp://72.34.43.82/.sys/?action=fbgen&v=103&crc=669
hxxp://209.114.200.64/.sys/?action=fbgen&v=103&crc=669
hxxp://72.47.212.35/.sys/?action=fbgen&v=103&crc=669
hxxp://209.132.201.41/.sys/?action=fbgen&v=103&crc=669
hxxp://74.86.229.248/.sys/?action=fbgen&v=103&crc=669
hxxp://66.7.206.75/.sys/?action=fbgen&v=103&crc=669
hxxp://174.137.158.10/.sys/?action=fbgen&v=103&crc=669
hxxp://188.240.47.29/.sys/?action=fbgen&v=103&crc=669
hxxp://75.125.238.194/.sys/?action=fbgen&v=103&crc=669
hxxp://12.68.140.207/.sys/?action=fbgen&v=103&crc=669
hxxp://209.114.220.5/.sys/?action=ppgen&a=877186281&v=103&pid=1000
 
Those unique IP’s are being used from different countries. And here is the top 10 among 122 unique IP’s.

Here are some of the malicious binary file names used:
v2captcha21.exe
v2bloggerjs.exe
fb.84.exe
fbcheck.exe
go.exe
v2prx.exe
fb.82.exe
pp.14.exe
v2webserver.exe
hosts2.exe
be.20.exe
tg.16.exe
ms.26.exe
 
Attackers are creating new variants of the Koobface worm to infect the large number of users using social networking sites. They are not only using new domains for their C&C servers, but are also taking the advantage of social networking usage over weekends. We have seen increases in social networking usage and social networking attacks over the last years. The Koobface worm has shown that once a user is infected, their social networking account can be used to easily spread malware. Zscaler’s solution prevented many types of such attacks and this again shows the importance of multiple defense mechanisms like URL filtering/Categorization, IDS/IPS, Antivirus etc.

Keep an eye on Koobface on weekends.

Umesh
 

Learn more about Zscaler.