Free Republic
Browse · Search
Bloggers & Personal
Topics · Post Article

Skip to comments.

Koobface - Come Out, Come Out, Wherever You Are
DANCHO DANCHEV - blog ^ | Wednesday, July 22, 2009 | Posted by Dancho Danchev

Posted on 07/23/2009 1:07:44 PM PDT by Cindy

SNIPPET: "UPDATE: The Koobface gang is upgrading the command and control infrastructure in response to the positive ROI out of the takedown activities."

SNIPPET: "Related posts: Dissecting Koobface Worm's Twitter Campaign Dissecting the Koobface Worm's December Campaign Dissecting the Latest Koobface Facebook Campaign The Koobface Gang Mixing Social Engineering Vectors"

(Excerpt) Read more at ddanchev.blogspot.com ...


TOPICS: Computers/Internet; Reference
KEYWORDS: computers; docstoc; facebook; internet; internetworm; koobface; malware; moldova; scareware; scribd; socialmedia; socialnetworking; socialnetworks; twitter; worm

1 posted on 07/23/2009 1:07:44 PM PDT by Cindy
[ Post Reply | Private Reply | View Replies]

To: All; Jet Jaguar; Oorang

http://blog.trendmicro.com/new-koobface-upgrade-makes-it-takedown-proof/

Jul
22
“New KOOBFACE Upgrade Makes It Takedown-Proof”
7:51 am (UTC-7) | by Jonell Baltazar (Advanced Threats Researcher)

SNIPPET: “KOOBFACE made waves in social networking sites by using infected users’ profiles to infect other users and therefore propagate. We have chronicled its activities in the following blog posts:

KOOBFACE Increases Twitter Activity
New KOOBFACE Component: a DNS Changer
KOOBFACE Tweets
KOOBFACE Tries CAPTCHA Breaking
New Variant of KOOBFACE Worm Spreading on Facebook
Worms Wriggling Their Way Through Facebook”


2 posted on 07/23/2009 1:10:54 PM PDT by Cindy
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

Previously...

http://ddanchev.blogspot.com/2009/07/dissecting-koobface-worms-twitter.html

WEDNESDAY, JULY 15, 2009
“Dissecting Koobface Worm’s Twitter Campaign”
Posted by Dancho Danchev


3 posted on 07/23/2009 1:15:35 PM PDT by Cindy
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

Blog:

http://ddanchev.blogspot.com/2009/08/movement-on-koobface-front-part-two.html

WEDNESDAY, AUGUST 19, 2009
“Movement on the Koobface Front - Part Two”
Posted by Dancho Danchev

#

Previously...

http://ddanchev.blogspot.com/2009/08/movement-on-koobface-front.html

TUESDAY, AUGUST 04, 2009
“Movement on the Koobface Front”
Posted by Dancho Danchev


4 posted on 08/21/2009 3:59:26 AM PDT by Cindy
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

Blog:

http://ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html

WEDNESDAY, SEPTEMBER 16, 2009
“Koobface Botnet’s Scareware Business Model”
Posted by Dancho Danchev


5 posted on 09/26/2009 1:45:33 PM PDT by Cindy
[ Post Reply | Private Reply | To 4 | View Replies]

To: All

blog:

http://ddanchev.blogspot.com/2009/10/koobface-botnet-dissected-in-trendmicro.html

WEDNESDAY, OCTOBER 14, 2009
“Koobface Botnet Dissected in a TrendMicro Report”
Posted by Dancho Danchev

SNIPPET: “I’d like to thank the folks at TrendMicro for mentioning the message inserted by the Koobface gang (more love on a first-name basis from them) within their command and control infrastructure for nine days, greeting me for systematically kicking them out of their ISPs, and suspending their command and control domains, in a new report entitled The Heart of Koobface - C&C and Social Network Propagation:”


6 posted on 10/18/2009 6:10:03 PM PDT by Cindy
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

ON THE INTERNET:

http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/the_20heart_20of_20koobface_final_1_.pdf


7 posted on 10/18/2009 6:11:58 PM PDT by Cindy
[ Post Reply | Private Reply | To 6 | View Replies]

To: All

Blog:

http://ddanchev.blogspot.com/2009/10/koobface-botnet-redirects-facebooks-ip.html

WEDNESDAY, OCTOBER 21, 2009
“Koobface Botnet Redirects Facebook’s IP Space to my Blog”

(Posted by Dancho Danchev at Wednesday, October 21, 2009)

SNIPPET: “The result? Earlier this morning, I’ve noticed over 7,000 unique visits coming from Facebook Inc’s IP space using active and automatically blogspot accounts part of the Koobface botnet as http referrers (New Koobface campaign spoofs Adobe’s Flash updater), which is now officially relying on already infected hosts for the CAPTCHA recognition process.”

SNIPPET: “A representative from Facebook’s Security Incident Response Team just confirmed the development, and commented...”


8 posted on 10/25/2009 4:08:22 PM PDT by Cindy
[ Post Reply | Private Reply | To 7 | View Replies]

To: All

Blog:

http://ddanchev.blogspot.com/2009/11/koobface-botnets-scareware-business.html

WEDNESDAY, NOVEMBER 11, 2009
“Koobface Botnet’s Scareware Business Model - Part Two”

(Posted by Dancho Danchev at Wednesday, November 11, 2009)

SNIPPET: “UPDATED - Tuesday, November 17, 2009: Koobface is resuming scareware (Inst_312s2.exe) operations at 91.212.107.103 which was taken offline for a short period of time. ISP has been notified again, action should be taken shortly. The current domain portfolio including new ones parked there:”


9 posted on 11/18/2009 2:59:24 AM PST by Cindy
[ Post Reply | Private Reply | To 8 | View Replies]

To: All

Blog:

http://ddanchev.blogspot.com/2009/11/massive-scareware-serving-blackhat-seo.html

TUESDAY, NOVEMBER 17, 2009
“Massive Scareware Serving Blackhat SEO, the Koobface Gang Style”

(Posted by Dancho Danchev at Tuesday, November 17, 2009)

SNIPPET: “Ali Baba and the 40 thieves LLC are once again multi-tasking, this time compromising hundreds of thousands of web sites, and redirecting Google visitors — through the standard http referrer check — to scareware serving domains.

What’s so special about the domains mentioned in Cyveillance’s post, as well as the ones currently active on this campaign? It’s the Koobface connection.”


10 posted on 11/18/2009 3:01:31 AM PST by Cindy
[ Post Reply | Private Reply | To 9 | View Replies]

To: All

Blog:

http://ddanchev.blogspot.com/2009/11/koobface-botnet-starts-serving-client.html

WEDNESDAY, NOVEMBER 25, 2009
“Koobface Botnet Starts Serving Client-Side Exploits”
Posted by Dancho Danchev

SNIPPET: “UPDATED, Thursday, November 26, 2009: The gang has currently suspended the use of client-side exploits, let’s see if it’s only for the time being or indefinitely.”


11 posted on 11/26/2009 4:11:19 PM PST by Cindy
[ Post Reply | Private Reply | To 10 | View Replies]

To: All

http://ddanchev.blogspot.com/2009/11/koobface-botnet-starts-serving-client.html

WEDNESDAY, NOVEMBER 25, 2009
“Koobface Botnet Starts Serving Client-Side Exploits”
Posted by Dancho Danchev

SNIPPET: “UPDATED, Saturday, November 28, 2009: Following yesterday’s experiment with bit.ly redirectors, relying on a “visual social engineering element” by adding descriptive domains after the original link — bit.ly/588dmE?YOUTUBE.COM/ea05981d43, which works with any generated bit.ly link, the gang is now spamvertising links using Google News redirection to automatically registered Blogspot accounts, whose CAPTCHA challenge has been solved by the already infected with Koobface victims, a feature that is now mainstream, compared to the gang’s previous use of commercial CAPTCHA solving services, where the price for a thousand solved CAPTCHAs varies between $1 and $2:”


12 posted on 11/29/2009 5:12:52 PM PST by Cindy
[ Post Reply | Private Reply | To 11 | View Replies]

To: All

Quote:

http://www.freerepublic.com/focus/f-bloggers/2405787/posts

Celebrity-Themed Scareware Campaign Abusing DocStoc
DANCHO DANCHEV - blog ^ | MONDAY, DECEMBER 07, 2009 | Dancho Danchev
Posted on December 11, 2009 3:32:36 PM PST by Cindy

MONDAY, DECEMBER 07, 2009 Celebrity-Themed Scareware Campaign Abusing DocStoc

UPDATE: Docstoc has removed all the participating accounts in this campaign, and is applying additional filtering to undermine its effectiveness.

Last week’s “Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd” is now exclusively targeting the popular Docstoc document-sharing service. Naturally, this very latest campaign once again offers overwhelming evidence on the inner workings of the cybercrime ecosystem, in this particular case, the connection between the Koobface gang and money mule recruitment campaigns.

(Excerpt) Read more at ddanchev.blogspot.com ...


13 posted on 12/11/2009 3:33:58 PM PST by Cindy
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

Blog:

http://ddanchev.blogspot.com/2009/12/koobface-friendly-riccom-ltd-as29550.html

TUESDAY, DECEMBER 22, 2009
“Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline”
Posted by Dancho Danchev

SNIPPET: “Last week, Josh Kirkwood, Network Engineer at Blue Square Data Group Services Limited, with whom I’ve been keeping in touch regarding the blackhat SEO activity courtesy of the Koobface gang, and actual Koobface botnet activity that’s been taking place there for months, pinged me with an interesting email - “Riccom are now gone” (AS29550). He also pinged the folks at hpHosts in response to their posts once again emphasizing on the malicious activity taking place there.”


14 posted on 12/22/2009 11:20:21 PM PST by Cindy
[ Post Reply | Private Reply | To 13 | View Replies]

To: All

Blog:

http://ddanchev.blogspot.com/2009/12/koobface-gang-wishes-industry-happy.html

SATURDAY, DECEMBER 26, 2009
“The Koobface Gang Wishes the Industry ‘Happy Holidays’”
Posted by Dancho Danchev


15 posted on 01/26/2010 11:52:44 PM PST by Cindy
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

blog:

http://ddanchev.blogspot.com/2010/02/diverse-portfolio-of-scarewareblackhat.html

WEDNESDAY, FEBRUARY 03, 2010
“A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang”
-Posted by Dancho Danchev

SNIPPET: “With scareware/rogueware/fake security software continuing to be the cash-cow choice for the Koobface gang, keeping them on a short leash in order to become the biggest opportunity cost for the gang’s business model is crucial.

The following are currently active blackhat SEO redirectors/Koobface-infected hosts redirectors and actual scareware domains courtesy of the gang.”


16 posted on 02/05/2010 1:11:55 AM PST by Cindy
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/02/01/BUJB1BR33G.DTL

“Hackers turn to social media to attack companies”
Alejandro Martínez-Cabrera, Chronicle Staff Writer
Tuesday, February 2, 2010

SNIPPET: “Social media is increasingly becoming fertile ground for hackers to attack companies with spam and malware, according to a report released Monday by a security firm.”

SNIPPET: “Worm evolves

The troublesome Koobface worm also continued to evolve in sophistication. In 2009, the worm became capable of automatically registering a Facebook account, befriending strangers and posting malicious content on the walls of potential victims, the report said.”


17 posted on 02/05/2010 1:17:44 AM PST by Cindy
[ Post Reply | Private Reply | To 16 | View Replies]

To: All

blog:

http://ddanchev.blogspot.com/2010/03/koobface-redirectors-and-scareware.html

MONDAY, MARCH 15, 2010
“Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova”
Posted by Dancho Danchev

SNIPPET: “Just how greedy has the Koobface gang become these days? Very greedy.

In fact, their currently active scareware campaigns operate with a changed directory structure that speaks for itself - scareware-domain/fee1/index.php?GREED==random_characters. Let’s dissect the scareware monetization vector, expose the entire typosquatted domains portfolio, and offer a historical OSINT perspective on their activities during February, 2010.

The domain portfolios are in a process of getting suspended”


18 posted on 03/16/2010 4:23:08 PM PDT by Cindy
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

blog:

http://ddanchev.blogspot.com/2010/04/dissecting-koobface-gangs-latest.html

TUESDAY, APRIL 27, 2010
“Dissecting Koobface Gang’s Latest Facebook Spreading Campaign”
Posted by Dancho Danchev


19 posted on 04/29/2010 4:59:35 PM PDT by Cindy
[ Post Reply | Private Reply | To 1 | View Replies]

To: All

http://ddanchev.blogspot.com/2010/05/from-koobface-gang-with-scareware.html

SATURDAY, MAY 08, 2010
“From the Koobface Gang with Scareware Serving Compromised Sites”
Posted by Dancho Danchev


20 posted on 05/11/2010 12:04:59 AM PDT by Cindy
[ Post Reply | Private Reply | To 19 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
Bloggers & Personal
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson