Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    9:59 pm (UTC-7)   |    by

    Fake YouTube pages are a distinctive characteristic of the KOOBFACE bot. These pages are used as lure to convince prospective victims to install the “codec” needed to play a video, in this case, supposedly from a “hidden camera.”

    Click for larger view

    These fake YouTube pages at one time included the KOOBFACE gang’s reactions to their list of nefarious activities as released by Dancho Danchev.

    A few days ago, these pages started to include a short JavaScript code, which enables the KOOBFACE gang to directly monitor page hits. The tracking code is located at the very bottom of the page, which was pushed way below by a lot of <br> tags.

    Click for larger view

    The tracking code uses a hit counter Web service. According to the information gleaned from the hit count page, the KOOBFACE gang started to use this tracking method beginning July 28, 2010.

    Since the tracking started, there have been 126,717 unique page hits.

    It even tracks the page hits by time period.

    Click for larger view

    The hourly tracking helps the gang correlate the user activity (based on time of day) and KOOBFACE infection count. However, the statistics page contains no indication of the time zone so there may not be much use to interpret the hourly data.

    The 126,717 “hits” represent the number of unique visits to the fake YouTube page, which pushes the KOOBFACE loader with the file name setupNNNN.exe where NNNN is a random number. There’s no actual data in the hit count page on how many users actually ran the KOOBFACE loader. Let’s just hope that a substantial portion didn’t fall for the fake YouTube page trick.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice