Tweet

Fake YouTube pages are a distinctive characteristic of the KOOBFACE bot. These pages are used as lure to convince prospective victims to install the “codec” needed to play a video, in this case, supposedly from a “hidden camera.”

These fake YouTube pages at one time included the KOOBFACE gang’s reactions to their list of nefarious activities as released by Dancho Danchev.

A few days ago, these pages started to include a short JavaScript code, which enables the KOOBFACE gang to directly monitor page hits. The tracking code is located at the very bottom of the page, which was pushed way below by a lot of <br> tags.

The tracking code uses a hit counter Web service. According to the information gleaned from the hit count page, the KOOBFACE gang started to use this tracking method beginning July 28, 2010.

Since the tracking started, there have been 126,717 unique page hits.

It even tracks the page hits by time period.

The hourly tracking helps the gang correlate the user activity (based on time of day) and KOOBFACE infection count. However, the statistics page contains no indication of the time zone so there may not be much use to interpret the hourly data.

The 126,717 “hits” represent the number of unique visits to the fake YouTube page, which pushes the KOOBFACE loader with the file name setupNNNN.exe where NNNN is a random number. There’s no actual data in the hit count page on how many users actually ran the KOOBFACE loader. Let’s just hope that a substantial portion didn’t fall for the fake YouTube page trick.