IntroductionIn the following paper, TrendLabs exposes
the latest developments made to the KOOBFACE botnet in order to keep it running and to secure its transactions from the prying eyes of security researchers and law enforcers alike.
Botnet DevelopmentsSome of these developments are
implemented in order to make analysis and reverse engineering difficult for researchers .
The introduction of a second layer of servers called proxy command-and-control (C&C) servers, essentially making their creation more resilient to C&C takedown.
Botnet DevelopmentsKOOBFACE URLs The sites capable of banning the IP addresses
of users who tried, on more than one occasion, to access them.
Through this, the gang’s members were able to prevent constant monitoring by security researchers using a single IP address.
Each KOOBFACE-controlled URL now has a local copy of banned IP addresses
Spammed URLs They tried to trick users into viewing a bogus
video by accessing the spammed link. The KOOBFACE-spammed URLs have started
coming in different forms. In the past, users only had to click a single link
to end up on a page where the KOOBFACE binary could be downloaded.
The new URLs either use the old template or encoded IP addresses.
Botnet Developments
URL Redirectors In the past, users who clicked KOOBFACE-
spammed URLs went through a few redirections before landing on a fake YouTube or Facebook site with the help of an unobfuscated JavaScript.
Another change the gang has implemented is to obfuscate such scripts using string replacement.
After deobfuscation, the IP addresses that point to fake YouTube pages where KOOBFACE binaries could be downloaded (final landing pages) have been seen to have random ports.
Botnet Developments
Final Landing URLs The more recently discovered final landing
pages (fake YouTube pages) sported URLs with random ports and randomly named subdirectories.
Botnet Developments
C&C Proxy URLs C&C proxy URLs can be extracted from the
KOOBFACE loader and social networking components.
Old C&C proxy URLs were still being used, the KOOBFACE scripts were installed in the .sys subdirectory.
New C&C proxy URLs have been found with randomly named subdirectories.
Botnet Developments
Old C&C proxy URL format
New proxy C&C URL format that uses randomly named subdirectories instead of just .sys
Proxy C&C CommunicationsThe KOOBFACE gang already encrypts their
C&C communications using the Data Encryption Standard (DES).
The encrypted data is found after the new command #BLUELABEL and can only be decrypted using a key defined by the gang itself.
Botnet Developments