Koobface Worm Still Spreading Using Social Engineering Attack Vectors

May 04, 2011 - 3 min read

Contents

Article
More blogs

The Koobface worm is not new to Internet users, but remains very active and continues spreading through different mediums using a variety of techniques. Last year, we have blogged about Koobface worm activity. We are still seeing this worm spreading via social engineering attacks. Attackers are creating fake malicious websites, which look like legitimate sites such as YouTube. Then, they lure the victim by posting fake content such as videos which actually lead to the downloading of malicious binary files. Look at the one of the site used to spread this worm using video content:

If you look at the image above, you will see the site is designed like a YouTube. The website shows a fake warning for adult material. The video displays a message saying “it requires Adobe Flash Player 10.37” and then forces a malicious file to download. In fact the latest version of genuine Adobe Flash Player is 10.2 but this video says 10.37 which is not a valid version. Once this file gets executed, it communicates with different servers. Here is the list,

http://www.powertreecorp.com/.tqe1/?action=fbgen&v=120&crc=669
http://www.bruleursdeloups.com/.gd1nlpq/?action=fbgen&v=120&crc=669
http://www.waypoint-center.org/.vye770/?action=fbgen&v=120&crc=669
http://sphusa.com/.wiqp6j2/?action=fbgen&v=120&crc=669
http://reishus.de/.zfg35n/?action=fbgen&v=120&crc=669
http://leonardandself.com/.uozs/?action=fbgen&v=120&crc=669
http://iq-tech.biz/.8cww/?action=fbgen&v=120&crc=669
http://careyadkinsdesign.com/.uzb62/?action=fbgen&v=120&crc=669
http://top-friends.co.za/.zsm4/?action=fbgen&v=120&crc=669
http://i-dare-you.co.za/.d38o8/?action=fbgen&v=120&crc=669
http://fatucci.it/.hkly/?action=fbgen&v=120&crc=669
http://www.flohr.tuknet.dk/.fav3bas/?action=fbgen&v=120&crc=669
http://www.mx2.jellingnet.dk/.n9u39y5/?action=fbgen&v=120&crc=669
http://www.neweed.org/.f8sh/?action=fbgen&v=120&crc=669
http://hillsdemocrat.com/.uit970q/?action=fbgen&v=120&crc=669
http://rentsatoday.com/.flyx4m/?action=fbgen&v=120&crc=669
http://www.aicis.it/.zm1jpub/?action=fbgen&v=120&crc=669
http://plymouth-tuc.org.uk/.eix02/?action=fbgen&v=120&crc=669
http://lode-willems.be/.xokpra/?action=fbgen&v=120&crc=669
http://www.cerclewalloncouillet.be/.s6ta/?action=fbgen&v=120&crc=669
http://www.ilfrutteto.net/.8tsple/?action=fbgen&v=120&crc=669

Zscaler, already has protection in place for these Koobface C&C servers. You can find the ThreatExpert report for this particular attack here. Never trust any site which will force you to download an executable file.

Umesh

Thank you for reading

Was this post useful?

Yes, very!

Not really

Disclaimer: This blog post has been created by Zscaler for informational purposes only and is provided "as is" without any guarantees of accuracy, completeness or reliability. Zscaler assumes no responsibility for any errors or omissions or for any actions taken based on the information provided. Any third-party websites or resources linked in this blog post are provided for convenience only, and Zscaler is not responsible for their content or practices. All content is subject to change without notice. By accessing this blog, you agree to these terms and acknowledge your sole responsibility to verify and use the information as appropriate for your needs.