You’ve probably read or heard about KOOBFACE malware propagating through social networking sites such as Facebook, MySpace, and Twitter. A lot of analysis is available online through blogs or malware descriptions. But I bet most of you probably still do not know some or all of these things about KOOBFACE.

1. KOOBFACE knows: KOOBFACE has the capability to steal whatever information is available in your Facebook, MySpace, or Twitter profile. Profile pages of these social networking sites may contain information about one’s contact details (address, email, phone), interests (hobbies, favorite things), affiliations (organizations, universities), and employment (employer, position, salary). So beware, KOOBFACE knows a lot! 
2. KOOBFACE doesn’t just know you through your profile information, they also know what you look like!: Not only does the botnet steal profile information, it also makes sure to put a face to the name by getting one’s profile picture as well.
3. URLs leading to KOOBFACE malware are either in compromised or free Web hosting sites: Yep, call them cheap but the guys behind KOOBFACE are making good use of compromised and free Web hosting sites in spamming KOOBFACE-related URLs. These URLs are spammed in social networking sites with catch phrases like “funny video,” which lead to a fake YouTube or Facebook site, which then leads to KOOBFACE malware. 
4. KOOBFACE zombies are made into Web servers on top of being social networking site spammers: KOOBFACE installs a Web server component into infected machines, which effectively makes the infected machine part of the malware’s distribution network. Infected machines serve fake YouTube or Facebook pages, which then lead to the KOOBFACE malware. 
5. KOOBFACE zombies are able to distribute repackaged versions of the malware: KOOBFACE Web servers are able to use UPX, a popular executable packer program, to pack (compress) the KOOBFACE binaries they serve.
6. Half of KOOBFACE infections occur in the United States: This is not surprising since majority of the social networking site users reside in the United States.  
7. KOOBFACE is able to block IP addresses: Probably in an effort to protect itself against takedown or snooping by curious researchers, KOOBFACE implemented a blockIP routine where traffic coming from a particular IP range is blocked. 
8. KOOBFACE is able to defeat Facebook’s spam filtering: Facebook, MySpace, and Twitter have recently implemented a spam-filtering mechanism where known spam URLs are blocked. KOOBFACE tries to circumvent this by first testing if a KOOBFACE spam URL is blocked by Facebook or not.

So there, some things you may not know about KOOBFACE. If this whets your appetite for more information, you may read our research paper The Heart of KOOBFACE: C&C and Social Network Propagation, fresh off the grill from the White Papers section of TrendWatch.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

I was prompted into crafting this post by a Scientific American blog post which stated that many experts in various scientific studies are sometimes “blinded” by — in fact — their focused studies of a particular subject, missing some of the finer aspects of the larger picture, so to speak.

This reminds me of the many of the various efforts over the course of the past five or so years to connect-the-dots on Eastern European cyber crime — something which I have spent a great deal of time and effort, with reasonable success — Trend Micro customers get protected as a direct byproduct of this research.

Of course, this leads me to the reason for this post — there are certainly “gray areas” of cyber crime where we have yet to identify. It’s an ongoing research project, so to speak, and realistically it is a never-ending quest.

This is where I provide kudos to Dmitry Samosseiko of Sophos, for his excellent paper he presented at Virus Bulletin 2009 in Geneva, entitled “The PARTNERKA – What Is It and Why Should You Care?” [.pdf]

We’ve also been closely following  these “parnterka” relationships, or affiliate programs, for several years — including “installs for cash”  or “pay-per-install” programs that Dancho Danchev has written about on many occasions, and several other “business network” relationships between several entities in Russian, The Ukraine, Estonia, and elsewhere in Eastern Europe.

The bottom line here is that there are very organized, sophisticated, and professional criminal organizations operating out of Eastern Europe, and Trend Micro researchers are very much engaged on this front.

It is a very shadowy, nefarious cyber crime landscape of fraud & theft, and is not always as it appears on the surface — it requires much digging, verifying, connecting-the-dots, and other research that requires may hours, days, and even months of research. There is much that we still don’t know, and that holds true for everyone trying to expose these criminal enterprises.

But we’re on it.

My threat research group does “Threat Intelligence X” and “Threat Intelligence Y”, where “X” is the operational threats that exist now, and 15 minutes from now. Threat Intelligence “Y” is what we can expect to see in 6 months, a year, two years, etc., on the threat landscape.

And all of the threat landscape that exists now (and 15 minutes from now) get represented in the Trend Micro Smart Protection Network, which provides our customers protection against threat from three threat vectors — e-mail, web, and malicious files themselves.

I’m very proud of our efforts here.

Paul Ferguson
Threat Research

Trend Micro threat analysts were alerted to the discovery of a not-so-common file infector. Unlike usual file infectors that only do simple modifications to the files they infect, PE_XPAJ.A does complex modifications to hide its malicious code.

Though it shares some characteristics with other PE variants, it is considered more than the average file infector. For instance, security experts will have a harder time finding its malicious code by ensuring that affected files do not exhibit any obvious sign of infection.

The file infector infects .DLL, .EXE, .SCR, and .SYS files in the following folders:

• %Program Files%
• %Windows%

It uses a polymorphic-entry point obscuring (EPO)-cavity type of infection, which is capable of moving some of the host file’s codes to another location. The malware encrypts its signature in a different way every time it executes as well as the instructions for carrying out the encryption. It hides its entry point in order to avoid detection. Instead of taking control and carrying out its actions as soon as an application is used or run, it allows it to work correctly for a while before taking action.

The file infector also connects to the following URLs to download encrypted files:

• http://{BLOCKED}huy.com/plugin/plugin.dat
• http://{BLOCKED}ios.com/stamm/stamm.dat

If that is not troublesome enough, it also copies and hides legitimate files in the %UserTemp% folder as {random HEX value}.tmp.

Trend Micro Smart Protection Network already protects product users from this file infector. Non-users, on the other hand, can use HouseCall to clean their infected systems.

US President Barack Obama officially declared October as the National Cybersecurity Awareness Month. Now in its sixth year, the said campaign promotes increased awareness with its theme, “Our Shared Responsibility.” It also calls for everyone to do their fair share in securing the nation’s digital infrastructure. Furthermore, it stressed out the need for people to familiarize themselves with best computing practices to protect them against threats plaguing the Web today.

Threats are continuously evolving and increasing. In fact, Trend Micro Smart Protection Network blocks at least 1 billion threats per day. Cybercriminals are incessantly employing new tactics such as SEO poisoning where search results on current news are rigged to redirect users to malicious websites that serve FAKEAV and other malware. This year, we also saw the full-blown rise of KOOBFACE botnet that leverages on the popularity of social networking sites. ZBOT variants are still prominent threats that come via spam attachments.

With that in mind, it is crucial for law enforcement, government, and security researchers to maintain their collaboration to fight cybercrimes. In the past, such collaboration was able to take down McColo, a spam mogul. McColo is known for hosting malicious operations like credit card theft and fraud to name a few. Advanced Threats Researcher Paul Ferguson along with other security researchers worked with HostExploit.com Cyber Crime Report, providing research and intelligence on the criminal activities of McColo.

Users can also help in the battle against cybercrimes by equipping themselves with knowledge on best practices. For tips on safe computing, users can visit the Trend Micro Internet Safety for Kids and Family website. They can also use free tools like HouseCall, TrendProtect, and Transaction Guard to secure themselves from threats lurking in the Web.

Trend Micro commends the United States for this cybersecurity initiative and encourages other countries to actively promote security awareness. After all, cybercrime is a global concern that involves everybody. In addition, let us not forget that security is a long-term campaign that goes beyond this month. Every month should be treated as cybersecurity awareness month.