2010.11.22 資安新聞簡報報告者:劉旭哲、曾家雄
Spam down, but malware up
報告者:劉旭哲
Nov 17 McAfee Threats Report: Third Quarter 2010 Spam is declined, but malware is increasing.
Spam is still high It continued its overall decline from January,
both globally and nationally. But identity theft, phishing attacks, and
malicious links remain as serious as ever. eg: US
Malware continues to be the biggest threat. This year they have identified more than 14
million unique pieces of malware. Over one million more malware than at the
same time last year. Increase has slowed, but the growth
continues.
A mix of many established standards. Mainly in the form of password-stealing
Trojans, AutoRun malware, and fake AV software.
For example : Zeus, Koobface
Cybercriminals are becoming more smart Attacks are becoming increasingly more
severe Focus on mobile devices and social-
networking sites.
Conclusion
http://news.cnet.com/8301-1009_3-20023067-83.html?tag=mncol;title
http://www.mcafee.com/us/local_content/reports/q32010_threats_report_en.pdf
reference
兆
Delivery Status Notification
Koobface: Inside a Crimeware Network
November 12, 2010 By NART VILLENEUVE
From April to November 2010 the Information Warfare Monitor investigated the operations and monetization strategies of the Koobface botnet
A New Botnet
Koobface maintains a system that uses social networking platforms to send malicious links such as: Bebo, Facebook, Friendster, Fubar, Hi5, MySpace, Netlog, Tagged, Twitter......etc.
Koobface also leverages connections to other malware groups associated with Bredolab, Gumblar, Meredrop, and Piptea
Koobface
The Koobface operators also employ counter-measures against security efforts to counter their operations The “banlist” of Internet protocol
Koobface operators carefully monitor whether any of their URLs have been flagged as malicious one by Facebook, or Google
Koobface
Koobface spreads by using credentials on compromised computers to login to the victim’s account
It sends messages that contain links to malware to friends that are linked to the account
Propagation
Propagation
The malicious link is often concealed using the URL shortening service
It redirects victim to a malicious Web page that encourages the user to run the accompanying executable
These malicious pages purport to be YouTube pages that require a new codec or an Adobe Flash upgrade in order to view the video
Propagation
Propagation
Koobface maintains an infrastructure that integrates command and control capabilities Zombie proxies obscure the location of C&C
Infrastructure
Koobface’s main command and control server is hosted on 85.13.206.115 (Coreix, GB)
It maintains a database that contains information on the infrastructure of the Koobface botnet The compromised hosts that have been
turned into relays And used by the operators to proxy requests
Command and Control
Koobface maintains a number of fraudulent accounts with third party services
Koobface also appears to use compromised computers to host landing pages
Command and Control
The Koobface malware has a modular structure that allows the botnet operators to install additional components on compromised computers based on specific criteria
The compromised computer connects to one of Koobface’s relay Web servers, which act as proxies of C&C
Command and Control
The malware on the compromised host requests URLs that contain parameters fbgen ldgen ppgen CAPTCHA
Command and Control
This file determines the contents of the message and the Koobface URL to send to the Facebook friends associated with Facebook accounts found on the compromised computer
fbgen
This file determines what further binaries the compromised host will download from the command and control server
IP address in a range
ldgen
These URLs point to rogue security software affiliates on Google searches for keywords such as Antivirus best+spyware+remover adware+spyware+removal
It triggers the search hijacker when the user clicks on any of the links returned by Google
ppgen
Koobface uses random samplings of real Facebook profile information stolen from compromised accounts to create fictitious accounts
The popup window suggests that the computer will shutdown if the CAPTCHA is not solved
CAPTCHA
CAPTCHA
The operators of the Koobface botnet have a system in place to monitor the operations of the botnet and to ensure that the system continues to maintain the infrastructure that is required to operate it
Monitoring & Countermeasures
Monitoring & Countermeasures
Koobface carefully monitors its links through the Google Safe Browsing API and checks if any of their URLs have been flagged as malicious by bit.ly or Facebook
Monitoring & Countermeasures
Monitoring & Countermeasures
Koobface keeps count of successful installations and traffic generated by the botnet
Monitoring Installations
Monitoring Installations
When an Internet user visits a Koobface landing page and installs the malware, the malware connects through a relay server to C&C and sends the Compromised user’s IP address Geographic location Unique identifier Koobface user identifier Malware identifier
This allows Koobface to keep track of malware installations
Monitoring Installations
http://krebsonsecurity.com/2010/11/pursuing-koobface-and-partnerka/
http://www.infowar-monitor.net/reports/iwm-koobface.pdf
Reference