Koobface Worm Still Spreading Using Social Engineering Attack Vectors

May 04, 2011 - 3 Min. de leitura

Conteúdo

Article
Mais blogs

The Koobface worm is not new to Internet users, but remains very active and continues spreading through different mediums using a variety of techniques. Last year, we have blogged about Koobface worm activity. We are still seeing this worm spreading via social engineering attacks. Attackers are creating fake malicious websites, which look like legitimate sites such as YouTube. Then, they lure the victim by posting fake content such as videos which actually lead to the downloading of malicious binary files. Look at the one of the site used to spread this worm using video content:

If you look at the image above, you will see the site is designed like a YouTube. The website shows a fake warning for adult material. The video displays a message saying “it requires Adobe Flash Player 10.37” and then forces a malicious file to download. In fact the latest version of genuine Adobe Flash Player is 10.2 but this video says 10.37 which is not a valid version. Once this file gets executed, it communicates with different servers. Here is the list,

http://www.powertreecorp.com/.tqe1/?action=fbgen&v=120&crc=669
http://www.bruleursdeloups.com/.gd1nlpq/?action=fbgen&v=120&crc=669
http://www.waypoint-center.org/.vye770/?action=fbgen&v=120&crc=669
http://sphusa.com/.wiqp6j2/?action=fbgen&v=120&crc=669
http://reishus.de/.zfg35n/?action=fbgen&v=120&crc=669
http://leonardandself.com/.uozs/?action=fbgen&v=120&crc=669
http://iq-tech.biz/.8cww/?action=fbgen&v=120&crc=669
http://careyadkinsdesign.com/.uzb62/?action=fbgen&v=120&crc=669
http://top-friends.co.za/.zsm4/?action=fbgen&v=120&crc=669
http://i-dare-you.co.za/.d38o8/?action=fbgen&v=120&crc=669
http://fatucci.it/.hkly/?action=fbgen&v=120&crc=669
http://www.flohr.tuknet.dk/.fav3bas/?action=fbgen&v=120&crc=669
http://www.mx2.jellingnet.dk/.n9u39y5/?action=fbgen&v=120&crc=669
http://www.neweed.org/.f8sh/?action=fbgen&v=120&crc=669
http://hillsdemocrat.com/.uit970q/?action=fbgen&v=120&crc=669
http://rentsatoday.com/.flyx4m/?action=fbgen&v=120&crc=669
http://www.aicis.it/.zm1jpub/?action=fbgen&v=120&crc=669
http://plymouth-tuc.org.uk/.eix02/?action=fbgen&v=120&crc=669
http://lode-willems.be/.xokpra/?action=fbgen&v=120&crc=669
http://www.cerclewalloncouillet.be/.s6ta/?action=fbgen&v=120&crc=669
http://www.ilfrutteto.net/.8tsple/?action=fbgen&v=120&crc=669

Zscaler, already has protection in place for these Koobface C&C servers. You can find the ThreatExpert report for this particular attack here. Never trust any site which will force you to download an executable file.

Umesh

Obrigado por ler

Esta postagem foi útil?？

Sim, muito útil!

Na verdade, não

Aviso legal: este post no blog foi criado pela Zscaler apenas para fins informativos e é fornecido "no estado em que se encontra", sem quaisquer garantias de exatidão, integridade ou confiabilidade. A Zscaler não se responsabiliza por quaisquer erros, omissões ou por quaisquer ações tomadas com base nas informações fornecidas. Quaisquer sites ou recursos de terceiros vinculados neste post são fornecidos apenas para sua conveniência, e a Zscaler não se responsabiliza por seu conteúdo ou práticas. Todo o conteúdo está sujeito a alterações sem aviso prévio. Ao acessar este blog, você concorda com estes termos e reconhece que é de sua exclusiva responsabilidade verificar e utilizar as informações conforme apropriado para suas necessidades.