Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Jonell Baltazar (Senior Threat Researcher)

    The KOOBFACE botnet is known for using the pay-per-install (PPI) and pay-per-click (PPC) business models in order to make money. In 2009 alone, the KOOBFACE gang earned about US$2 million.

    This was, however, not enough, as the gang upgraded their botnet framework with the creation of a sophisticated traffic direction system (TDS) that handles all of the traffic referenced to their affiliate sites. They also introduced new binary components to help increase the amount of Internet traffic that goes to their TDS, which translates to even bigger profit.

    The KOOBFACE gang’s TDS redirected traffic to advertising sites from which they earn referral money or to several of their affiliate sites. Note that websites that use the referral business model such as advertising and affiliate sites earn more as the Internet traffic to their sites increases. To more clearly see how the new TDS allows the gang to earn more, look at the diagram below, along with the list of steps taken to achieve it:

    Koobface TDS Read the rest of this entry »


    The KOOBFACE botnet became known for using popular social networking sites as a propagation vector and abusing these platforms for malicious purposes. We recently observed that KOOBFACE no longer actively propagates via social networks but rather does so via a torrent P2P network through sharing Trojanized application files.

    While conducting research, we found a “loader” that KOOBFACE uses. This component is responsible for downloading the botnet’s other components and arrives on victims’ systems either via the download of Trojanized torrent files or via a new KOOBFACE component called tor2.exe, which we detect as WORM_KOOBFACE.AV.

    WORM_KOOBFACE.AV, upon execution, accesses a C&C domain to request for a torrent file. Once received, it executes a torrent client, which is found in the resource section of the binary. This torrent client, a version 2.2.1 of uTorrent, is executed without the users’ knowledge and runs as a background process.

    The torrent client downloads the files referenced by the previously downloaded torrent file from the C&C. A sample of the downloaded torrent file references four files that supposedly comprise an Adobe Lightroom installer package:

    These files serve different functions:

    • setup.exe decrypts and executes then executes
    • acts as the downloader of the other component binaries.
    • is the actual Adobe Lightroom installer.
    • decrypts and executes

    The files setup.exe,, and are all also detected as WORM_KOOBFACE.AV.

    Read the rest of this entry »


    The KOOBFACE botnet continuously evolves to keep on generating profit for its perpetrators. The fact that the botnet is still alive shows that the cybercriminals behind it are making a fortune off it.

    In our effort to conduct research on and to monitor the latest developments made to the KOOBFACE botnet, we have noticed several changes in the way it operates. Some of the major changes the botnet has undergone from when we started unmasking it include the following:

    1. Using proxy command-and-control (C&C) servers
    2. Encrypting the gang members’ C&C communications
    3. Banning IP addresses from repeatedly accessing KOOBFACE-controlled sites
    4. Introducing new binary components
    5. Employing several layers of binary protection with the use of more complex packers

    These changes pose a greater challenge to security researchers in reverse-engineering existing KOOBFACE binaries and in monitoring the gang members’ C&C communications. Though the changes the gang has made to their botnet have made it interesting, someone has to put a stop to their malicious schemes and put the perpetrators where they belong—behind bars.

    For more information on the most recent developments on the KOOBFACE botnet based on our latest findings, read “Web 2.0 Botnet Evolution: KOOBFACE Revisited.” You may also find the following papers a good read to learn more about one of the most notorious botnets in existence today—KOOBFACE:


    The KOOBFACE FTP grabber component, which is a variant of the LDPINCH Trojan family, usually drops stolen FTP user names and passwords to a remote server controlled by the KOOBFACE gang. This remote server, located in Hong Kong, was taken down last week, thanks largely to the efforts of the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT). However, the KOOBFACE gang was quick to move their server to another hosting company located in China.

    The FTP grabber sends stolen credentials to the remote server using the word “malware” as user-agent and HTTP POST request to the the URL, http://{BLOCKED}

    The admin page is located in the /adm/admin.php directory.

    When a botnet server is taken down, botnet owners tend to avail of bulletproof hosting services or the services of hosting companies that are hard to take down, which not only means business as usual for cybercriminals but also means they are shoring up their “defenses.” In light of these developments, Trend Micro will continuously observe the KOOBFACE family of threats in order to keep our customers protected.


    Trend Micro advanced threat researchers recently came across a new ZBOT/ZeuS binary file detected as TROJ_ZBOT.BTM.

    ZBOT/ZeuS variants are well-known for stealing banking information from its victims via various social engineering tactics (e.g., spammed messages, malicious links sent to social networking site members in the guise of messages, and compromised legitimate sites), as evidenced by the following documented noteworthy occurrences:

    Apart from the usual information-stealing tactics ZBOT/ZeuS Trojans are known for, however, this new variant came with a hidden message that thanks and taunts some well-known antivirus companies for the help they provide the cybercriminals behind the malware to constantly improve on their craft. The said message, however, will only be visible after the binary file (version unpacks and copies itself onto affected systems’ memory.

    Click for larger view

    This taunting message shows that cybercriminals have systems that monitor the performance of antivirus companies in detecting their craft and they are constantly updating their software to avoid detection.

    Trend Micro™ Smart Protection Network™ already protects product users from this threat by blocking access to the malicious site, http://{BLOCKED}, where the binary file could be downloaded via the Web reputation service and by detecting and preventing the file’s execution on affected systems via its file reputation service.

    Non-Trend Micro product users, on the other hand, can also stay protected by using free tools like Web Protection Add-On, which was especially designed to block user access to potentially malicious websites in real-time.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice