Tweet

The KOOBFACE botnet became known for using popular social networking sites as a propagation vector and abusing these platforms for malicious purposes. We recently observed that KOOBFACE no longer actively propagates via social networks but rather does so via a torrent P2P network through sharing Trojanized application files.

While conducting research, we found a “loader” that KOOBFACE uses. This component is responsible for downloading the botnet’s other components and arrives on victims’ systems either via the download of Trojanized torrent files or via a new KOOBFACE component called tor2.exe, which we detect as WORM_KOOBFACE.AV.

WORM_KOOBFACE.AV, upon execution, accesses a C&C domain to request for a torrent file. Once received, it executes a torrent client, which is found in the resource section of the binary. This torrent client, a version 2.2.1 of uTorrent, is executed without the users’ knowledge and runs as a background process.

The torrent client downloads the files referenced by the previously downloaded torrent file from the C&C. A sample of the downloaded torrent file references four files that supposedly comprise an Adobe Lightroom installer package:

These files serve different functions:

• setup.exe decrypts and executes setup3.cab then executes setup2.cab.
• setup1.cab acts as the downloader of the other component binaries.
• setup2.cab is the actual Adobe Lightroom installer.
• setup3.cab decrypts and executes setup1.cab.

The files setup.exe, setup1.cab, and setup3.cab are all also detected as WORM_KOOBFACE.AV.

Note that infected systems running WORM_KOOBFACE.AV are running a hidden torrent client process, making the system a “peer” that seeds or hosts the malicious binaries. The more seeders there are for a specific torrent file, the more likely it is for other users to download them since they promise faster download speeds.

KOOBFACE Trojanized Torrents in Popular Torrent Sites

Unwitting users looking for pirated copies of popular software such as games, PC utilities, or productivity software are in for a surprise, as these Trojanized software torrents are found on popular torrent sites. The following is a partial list of the observed torrent file names that have been Trojanized by KOOBFACE:

• 65_Silent_Scream_The_Dancer.torrent
• 67_Dark_Ritual.torrent
• 68_Celtic_Lore_Sidhe_Hills.torrent
• 69_Lightroom.torrent
• 71_SystemCare.torrent
• WinrRAR_4_Beta_7.torrent
• 72_Voodoo_Whisperer.torrent
• 73_Allore_And_The_Broken_Portal.torrent
• 74_Secret_of_Hildegards.torrent
• 75_Mystery_Chronicles.torrent
• 76_Magical_Mysteries.torrent

Searching for these torrent names shows several torrent sites hosting them. The following image shows our example torrent, 69_Lightroom.torrent, found in the BitSnoop Torrent site.

AV Evasion Through Multiple Components and Encryption

Another notable aspect of this technique is the use of several component files and their encryption. Using several component binaries and encrypting some of these components, the botnet’s components avoid detection by the antivirus scanners of the torrent file servers. Several component binaries working together to reach a certain goal makes analysis longer and harder to do. Also, having a copy of just one component binary may cause the analyst to lead to a conclusion that it is not a malware since the analyst needs the other components to see what the real objective of the malware is.

The shift from concentrating on propagating through social networks to torrent P2P networks may be a result of the efforts by the targeted social networks to prevent the KOOBFACE botnet from abusing their framework. Despite this change, users should be aware that the KOOBFACE gang has not stopped in coming up with schemes to infect users’ systems. They are simply looking for other means to do so.

Past KOOBFACE-related blog entries:

• KOOBFACE Gang Now Tracking Visitors
• KOOBFACE Spreading via Facebook DMs Again
• The Evolution of KOOBFACE: A Web 2.0 Botnet

Updated August 17, 2011, 8:26 PM PST due to change in detection names. Files previously detected as TROJ_MALAGENT.FA, TROJ_DLOADER.SPA, and TROJ_DLOADER.KOO are now also detected as WORM_KOOBFACE.AV