Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Jonell Baltazar (Senior Threat Researcher)

    The Koobface botnet has pushed out a new component that automates the following routines:

    • Registering a Facebook account
    • Confirming an email address in Gmail to activate the registered Facebook account
    • Joining random Facebook groups
    • Adding Facebook friends
    • Posting messages to Facebook friends’ walls

    Overall, this new component behaves like a regular Internet user that starts to connect with friends in Facebook. All Facebook accounts registered by this component are comparable to a regular account made by a human. The details provided about the account are complete such as a photo, birth date, favorite music, and favorite books, among others. In addition, every account registered is unique in such a way that the details vary for every account registered.

    Koobface accomplishes these malicious activities by automating Internet Explorer to perform the task of creating and registering an account. However, it does not proceed and will terminate the process if the affected user is using Internet Explorer 6. Moreover, it employs a check if it has already reached the maximum friend requests set by Facebook or not. Hence, it keeps itself under the radar and does not cause any alarm to Facebook administrators.

    This component fetches details from one of the botnet’s available proxy domains.

    Click Click

    The messages posted through Facebook’s wall contain a link that leads to the usual fake Facebook or YouTube page hosting the Koobface loader component.

    Facebook users are advised to be careful and security conscious. It is probable that the Koobface botnet owns a particular Facebook account. It is a good thing that the Trend Micro Smart Protection Network continues to block malicious URLs spammed by Koobface.

    For more tips on using Facebook, users may opt to visit Facebook’s safety and security pages:


    We are seeing another development from the Koobface botnet, this time abusing the Google-owned service Google Reader to spam malicious URLs in social networking sites such as Facebook, MySpace, and Twitter.

    The Koobface gang used controlled Google Reader accounts to host URLs containing an image that resembles a flash movie. These URLs are spammed through the said social networks. When the user clicks the image or the title of the shared content, it leads to the all-too-familiar fake YouTube page that hosts the Koobface downloader component.

    Click for larger view Click for larger view

    Google Reader is a free service offered by Google that allows users to monitor websites for new content. It also allows the users to share content from the websites. Any user online can view these pages as they are shared with the public. Sharing any Google Reader page publicly is easy as anyone can click on the share icon in his or her Reader page and the content will appear on his or her public page


    This ability to share content with the public was abused by cybercriminals to use the Google Reader domain to spam malicious links.

    We have already contacted Google about this matter to remove the malicious content. As of now we’ve found 1,300 Google Reader accounts used for this attack. The spam URLs hosted through these accounts are now blocked.


    The Koobface botnet is widely known to install FAKEAV or rogue antivirus malware onto a victim’s PC. It has a dedicated component which actually installs the FAKEAV onto the user’s system. However, the Koobface gang has added a new twist to its fake Facebook page.

    When the user closes the window/tab with the fake Facebook page, a popup window appears. Whatever button the user clicks, this new Koobface variant is downloaded onto the affected system. Here’s a video that illustrates this behavior:

    This is the script used by cybercriminals to perform this new routine; it only works for users who used Internet Explorer to visit the fake page:

    KOOBFACE Script
    Figure 1. Koobface Script

    The scripts above leaves the user with very little choice – closing the browser window downloads a FakeAV variant (detected as TROJ_FAKEAV.FGR), while clicking anywhere on the web page will download a Koobface loader (detected as WORM_KOOBFACE.AZ).


    Early this week, the KOOBFACE Command and Control (C&C) servers issued a new command to its downloader component. This new command identifies a list of IP addresses to be used by the downloader component as Web or relay proxies to retrieve subsequent commands and components.

    In the old KOOBFACE architecture (see Figure 1), the downloader directly connects to an available C&C to receive commands. However, the new command seen early this week actually changes the KOOBFACE botnet architecture to something more like the diagram in Figure 2.

    Click for larger view Click for larger view

    This new command acts as a redundancy layer to the old architecture and probably as a response to KOOBFACE domain takedowns. The upgraded KOOBFACE architecture makes it possible for the KOOBFACE botnet to survive even if all of its C&C domains are shut down given that the list of IP addresses (KOOBFACE zombies) can also host updated KOOBFACE commands and components.

    KOOBFACE made waves in social networking sites by using infected users’ profiles to infect other users and therefore propagate. We have chronicled its activities in the following blog posts:


    6:23 pm (UTC-7)   |    by

    Twitter is a very popular platform for expressing whatever is on a user’s mind, making it a favorite target of malware authors. Trend Micro has published several blog entries that discussed attacks on Twitter. Now, the creators of Koobface included a new component in the malware to target the vast number of Twitter users. They’ve come up with the latest update to the Koobface loader binary and other known Koobface components that target social networking sites like Facebook, MySpace, Hi5, Bebo, Tagged, and Netlog.

    The new component uses a victim’s Twitter account to post tweets using Internet-browsing cookies to log in to the target user’s account. Tweets can more successfully be posted when the victim is currently logged on to his/her Twitter account as the ‘evil’ Koobface binary runs in the background.

    Figure 1. Twitter account of an infected PC

    The supossed tweets are retrieved from a Koobface C&C domain and use to shorten and kind of obfuscate the URL included in the message.

    Figure 2. Network stream of an affected PC

    Visiting the posted URL leads to a Koobface redirector page that opens the same old ‘fake’ YouTube page that hosts the Koobface loader posing as an Adobe Flash Player update also known as the infamous setup.exe.

    Figure 3. Fake YouTube page that installs setup.exe

    As with earlier Koobface-related attacks, however, Trend Micro product users need not worry about being infected as Smart Protection Network already blocks malicious sites and files from running on their systems. They should, however, still keep in mind that an ounce of prevention is always better than a pound of cure.

    Related posts on Koobface:

    Twitter, likewise, was never that safe from attacks:

    Update on June 28:

    Setup.exe is now detected as WORM_KOOBFACE.DC. It has the ability to fetch information from the affected PC and to send said info to URLs via HTTP POST.

    Moreover, Koobface writers immediately updated their mal-tweets, cleverly using current events related to Michael Jackson’s death. Luckily, the URL included in the message did not change and is still being blocked by Smart Protection Network.

    Along with the updated tweets is an update of a Koobface binary (TROJ_KOOBFACE.AJ) targeting Facebook. This binary is already being processed. More details will be provided as analysis progresses.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice