Tweet

The KOOBFACE FTP grabber component, which is a variant of the LDPINCH Trojan family, usually drops stolen FTP user names and passwords to a remote server controlled by the KOOBFACE gang. This remote server, located in Hong Kong, was taken down last week, thanks largely to the efforts of the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT). However, the KOOBFACE gang was quick to move their server to another hosting company located in China.

The FTP grabber sends stolen credentials to the remote server using the word “malware” as user-agent and HTTP POST request to the the URL, http://{BLOCKED}find.com/adm/index.php.

The admin page is located in the /adm/admin.php directory.

When a botnet server is taken down, botnet owners tend to avail of bulletproof hosting services or the services of hosting companies that are hard to take down, which not only means business as usual for cybercriminals but also means they are shoring up their “defenses.” In light of these developments, Trend Micro will continuously observe the KOOBFACE family of threats in order to keep our customers protected.