Weekends are busy social networking days for users, and the Koobface worm presumably took advantage of this. The simple scenario is described below,
![]()
The worm spreads via social engineering attack. User visits the infected friend’s profile and then clicks on the link. Then the link shows the video being displayed but shows error message like “your flash player is out of date” and you have to download new update. The innocent user clicks on the download link thinking that it is real update for flash player and ends up getting the worm on their system. We saw increase in unique C&C servers from last few days and sudden increase on Sunday. Here is the chart showing the number of unique domains used per day for last week,
![]()
Here is the list of unique C&C servers used on March 14th,
hxxp://74.217.128.97/.sys/?action=fbgen&v=103&crc=669
hxxp://85.13.206.114/.sys/?action=fbgen&v=103&crc=669
hxxp://207.217.125.50/.sys/?action=fbgen&v=103&crc=669
hxxp://75.125.232.130/.sys/?action=fbgen&v=103&crc=669
hxxp://70.35.30.26/.sys/?action=fbgen&v=103&crc=669
hxxp://67.139.134.203/.sys/?action=fbgen&v=103&crc=669
hxxp://82.165.204.43/.sys/?action=fbgen&v=103&crc=669
hxxp://87.106.152.181/.sys/?action=fbgen&v=103&crc=669
hxxp://66.96.146.81/.sys/?action=fbgen&v=103&crc=669
hxxp://89.188.141.15/.sys/?action=fbgen&v=103&crc=669
hxxp://208.93.192.2/.sys/?action=fbgen&v=103&crc=669
hxxp://74.63.154.248/.sys/?action=fbgen&v=103&crc=669
hxxp://207.150.212.12/.sys/?action=fbgen&v=103&crc=669
hxxp://193.93.174.152/.sys/?action=fbgen&v=103&crc=669
hxxp://212.36.74.250/.sys/?action=fbgen&v=103&crc=669
hxxp://91.186.25.40/.sys/?action=fbgen&v=103&crc=669
hxxp://85.17.169.7/.sys/?action=fbgen&v=103&crc=669
hxxp://212.227.33.27/.sys/?action=fbgen&v=103&crc=669
hxxp://212.79.87.27/.sys/?action=fbgen&v=103&crc=669
hxxp://203.206.137.137/.sys/?action=fbgen&v=103&crc=669
hxxp://72.52.191.187/.sys/?action=fbgen&v=103&crc=669
hxxp://206.51.236.165/.sys/?action=fbgen&v=103&crc=669
hxxp://209.59.147.182/.sys/?action=fbgen&v=103&crc=669
hxxp://193.227.103.20/.sys/?action=fbgen&v=103&crc=669
hxxp://193.93.174.173/.sys/?action=fbgen&v=103&crc=669
hxxp://207.150.212.23/.sys/?action=fbgen&v=103&crc=669
hxxp://195.225.168.238/.sys/?action=fbgen&v=103&crc=669
hxxp://88.208.252.192/.sys/?action=fbgen&v=103&crc=669
hxxp://72.9.250.162/.sys/?action=fbgen&v=103&crc=669
hxxp://200.62.54.122/.sys/?action=fbgen&v=103&crc=669
hxxp://203.116.95.196/.sys/?action=fbgen&v=103&crc=669
hxxp://204.246.156.62/.sys/?action=fbgen&v=103&crc=669
hxxp://193.227.103.44/.sys/?action=fbgen&v=103&crc=669
hxxp://216.177.193.194/.sys/?action=fbgen&v=103&crc=669
hxxp://81.223.238.227/.sys/?action=fbgen&v=103&crc=669
hxxp://80.74.152.80/.sys/?action=fbgen&v=103&crc=669
hxxp://66.252.239.235/.sys/?action=fbgen&v=103&crc=669
hxxp://77.95.248.53/.sys/?action=fbgen&v=103&crc=669
hxxp://72.167.131.16/.sys/?action=fbgen&v=103&crc=669
hxxp://77.73.98.102/.sys/?action=fbgen&v=103&crc=669
hxxp://70.35.16.246/.sys/?action=fbgen&v=103&crc=669
hxxp://213.165.76.42/.sys/?action=fbgen&v=103&crc=669
hxxp://82.165.216.103/.sys/?action=fbgen&v=103&crc=669
hxxp://65.39.133.25/.sys/?action=fbgen&v=103&crc=669
hxxp://210.193.49.224/.sys/?action=fbgen&v=103&crc=669
hxxp://68.178.254.134/.sys/?action=fbgen&v=103&crc=669
hxxp://82.165.78.116/.sys/?action=fbgen&v=103&crc=669
hxxp://64.71.33.197/.sys/?action=fbgen&v=103&crc=669
hxxp://64.71.33.74/.sys/?action=fbgen&v=103&crc=669
hxxp://8.21.33.134/.sys/?action=fbgen&v=103&crc=669
hxxp://72.167.131.153/.sys/?action=fbgen&v=103&crc=669
hxxp://67.205.36.101/.sys/?action=fbgen&v=103&crc=669
hxxp://203.146.170.138/.sys/?action=fbgen&v=103&crc=669
hxxp://80.179.155.151/.sys/?action=fbgen&v=103&crc=669
hxxp://91.121.112.18/.sys/?action=fbgen&v=103&crc=669
hxxp://63.135.106.240/.sys/?action=fbgen&v=103&crc=669
hxxp://67.227.177.47/.sys/?action=fbgen&v=103&crc=669
hxxp://209.200.55.156/.sys/?action=fbgen&v=103&crc=669
hxxp://122.201.81.28/.sys/?action=fbgen&v=103&crc=669
hxxp://72.9.224.210/.sys/?action=fbgen&v=103&crc=669
hxxp://96.30.24.92/.sys/?action=fbgen&v=103&crc=669
hxxp://63.247.72.82/.sys/?action=fbgen&v=103&crc=669
hxxp://203.174.82.20/.sys/?action=fbgen&v=103&crc=669
hxxp://64.71.33.35/.sys/?action=fbgen&v=103&crc=669
hxxp://212.78.89.54/.sys/?action=fbgen&v=103&crc=669
hxxp://72.167.183.94/.sys/?action=fbgen&v=103&crc=669
hxxp://80.196.52.177/.sys/?action=fbgen&v=103&crc=669
hxxp://65.36.242.101/.sys/?action=fbgen&v=103&crc=669
hxxp://64.118.82.32/.sys/?action=fbgen&v=103&crc=669
hxxp://82.165.218.132/.sys/?action=fbgen&v=103&crc=669
hxxp://209.114.220.8/.sys/?action=fbgen&v=103&crc=669
hxxp://205.234.132.8/.sys/?action=fbgen&v=103&crc=669
hxxp://66.63.192.22/.sys/?action=fbgen&v=103&crc=669
hxxp://88.85.75.140/.sys/?action=fbgen&v=103&crc=669
hxxp://69.10.155.198/.sys/?action=fbgen&v=103&crc=669
hxxp://208.109.181.217/.sys/?action=fbgen&v=103&crc=669
hxxp://81.201.129.126/.sys/?action=fbgen&v=103&crc=669
hxxp://87.118.73.178/.sys/?action=fbgen&v=103&crc=669
hxxp://91.121.216.40/.sys/?action=fbgen&v=103&crc=669
hxxp://85.158.181.27/.sys/?action=fbgen&v=103&crc=669
hxxp://67.141.47.21/.sys/?action=fbgen&v=103&crc=669
hxxp://194.185.27.130/.sys/?action=fbgen&v=103&crc=669
hxxp://89.106.12.55/.sys/?action=fbgen&v=103&crc=669
hxxp://83.101.16.60/.sys/?action=fbgen&v=103&crc=669
hxxp://65.89.55.2/.sys/?action=fbgen&v=103&crc=669
hxxp://89.255.9.102/.sys/?action=fbgen&v=103&crc=669
hxxp://208.109.138.156/.sys/?action=fbgen&v=103&crc=669
hxxp://66.96.146.82/.sys/?action=fbgen&v=103&crc=669
hxxp://213.171.219.195/.sys/?action=fbgen&v=103&crc=669
hxxp://216.180.225.10/.sys/?action=fbgen&v=103&crc=669
hxxp://208.87.242.66/.sys/?action=fbgen&v=103&crc=669
hxxp://213.189.197.30/.sys/?action=fbgen&v=103&crc=669
hxxp://66.223.111.166/.sys/?action=fbgen&v=103&crc=669
hxxp://212.12.112.25/.sys/?action=fbgen&v=103&crc=669
hxxp://82.165.207.69/.sys/?action=fbgen&v=103&crc=669
hxxp://72.167.131.131/.sys/?action=fbgen&v=103&crc=669
hxxp://208.82.11.2/.sys/?action=fbgen&v=103&crc=669
hxxp://94.75.226.133/.sys/?action=fbgen&v=103&crc=669
hxxp://77.72.71.43/.sys/?action=fbgen&v=103&crc=669
hxxp://87.118.67.21/.sys/?action=fbgen&v=103&crc=669
hxxp://207.150.212.89/.sys/?action=fbgen&v=103&crc=669
hxxp://85.159.63.145/.sys/?action=fbgen&v=103&crc=669
hxxp://67.192.124.34/.sys/?action=fbgen&v=103&crc=669
hxxp://195.225.236.90/.sys/?action=fbgen&v=103&crc=669
hxxp://94.102.219.71/.sys/?action=fbgen&v=103&crc=669
hxxp://78.46.7.50/.sys/?action=fbgen&v=103&crc=669
hxxp://67.227.223.120/.sys/?action=fbgen&v=103&crc=669
hxxp://203.98.91.195/.sys/?action=fbgen&v=103&crc=669
hxxp://194.192.14.146/.sys/?action=fbgen&v=103&crc=669
hxxp://174.37.216.1/.sys/?action=fbgen&v=103&crc=669
hxxp://208.109.181.59/.sys/?action=fbgen&v=103&crc=669
hxxp://72.34.43.82/.sys/?action=fbgen&v=103&crc=669
hxxp://209.114.200.64/.sys/?action=fbgen&v=103&crc=669
hxxp://72.47.212.35/.sys/?action=fbgen&v=103&crc=669
hxxp://209.132.201.41/.sys/?action=fbgen&v=103&crc=669
hxxp://74.86.229.248/.sys/?action=fbgen&v=103&crc=669
hxxp://66.7.206.75/.sys/?action=fbgen&v=103&crc=669
hxxp://174.137.158.10/.sys/?action=fbgen&v=103&crc=669
hxxp://188.240.47.29/.sys/?action=fbgen&v=103&crc=669
hxxp://75.125.238.194/.sys/?action=fbgen&v=103&crc=669
hxxp://12.68.140.207/.sys/?action=fbgen&v=103&crc=669
hxxp://209.114.220.5/.sys/?action=ppgen&a=877186281&v=103&pid=1000
Those unique IP’s are being used from different countries. And here is the top 10 among 122 unique IP’s.
![]()
Here are some of the malicious binary file names used:
v2captcha21.exe
v2bloggerjs.exe
fb.84.exe
fbcheck.exe
go.exe
v2prx.exe
fb.82.exe
pp.14.exe
v2webserver.exe
hosts2.exe
be.20.exe
tg.16.exe
ms.26.exe
Attackers are creating new variants of the Koobface worm to infect the large number of users using social networking sites. They are not only using new domains for their C&C servers, but are also taking the advantage of social networking usage over weekends. We have seen increases in social networking usage and social networking attacks over the last years. The Koobface worm has shown that once a user is infected, their social networking account can be used to easily spread malware. Zscaler’s solution prevented many types of such attacks and this again shows the importance of multiple defense mechanisms like URL filtering/Categorization, IDS/IPS, Antivirus etc.
Keep an eye on Koobface on weekends.
Umesh