Quick viewing(Text Mode)

The Real Face of Koobface

The Real Face of Koobface

The Real Face of Koobface

Ryan Flores Jonell Baltazar Joey Costoya PresenterPresented By:Name Ivan Macalintal ClassificationVB 2009 Presenter Title 9/29/09 September 2009 “A single entity defined by the sum of its parts…”

- Dunne, “The Lost Symbol” Chapter 18

Classification 9/29/09 2 Copyright 2007 - Inc. What is the real face of Koobface?

Classification 9/29/09 3 Copyright 2007 - Trend Micro Inc. Koobface, not just a single piece of

Group of working together not only to form the Koobface but to also support the business model of Koobface. - Main Downloaders - Social Network Propagation Components - Bloggers - Web Servers - URL Checkers - Captcha Breakers - FakeAVs - Web Search Hijackers - Rogue DNS Changers - Data Stealers - Koobface C&C - and many more….

Classification 9/29/09 4 Copyright 2007 - Trend Micro Inc. Koobface, an ever evolving threat

Classification 9/29/09 5 Copyright 2007 - Trend Micro Inc. Koobface, an ever elusive C&C

Classification 9/29/09 6 Copyright 2007 - Trend Micro Inc. Koobface, able to adapt

As of July 19, 2009

Before

Classification 9/29/09 7 Copyright 2007 - Trend Micro Inc. Koobface is…

• Multi-component • Evolving • Elusive • with an adaptable malware writing group behind it!

Classification 9/29/09 8 Copyright 2007 - Trend Micro Inc. What else?

Classification 9/29/09 9 Copyright 2007 - Trend Micro Inc. The Koobface Botnet

Some Koobface facts you probably didn’t know…

Classification 9/29/09 10 Copyright 2007 - Trend Micro Inc. Koobface authors gets personal

Classification 9/29/09 11 Copyright 2007 - Trend Micro Inc. Koobface blocks Akamai

Classification 9/29/09 12 Copyright 2007 - Trend Micro Inc. Koobface, making good use of compromised sites

Classification 9/29/09 13 Copyright 2007 - Trend Micro Inc. Koobface, most victims are Americans

Classification 9/29/09 14 Copyright 2007 - Trend Micro Inc. Koobface uses Google’s Blogspot

Classification 9/29/09 15 Copyright 2007 - Trend Micro Inc. But wait… there’s more!!

Classification 9/29/09 16 Copyright 2007 - Trend Micro Inc. Koobface defeats URL blocking

Classification 9/29/09 17 Copyright 2007 - Trend Micro Inc. Koobface info stealing

Classification 9/29/09 18 Copyright 2007 - Trend Micro Inc. Koobface knows what you look like…

Classification 9/29/09 19 Copyright 2007 - Trend Micro Inc. The Koobface Botnet

Had enough???

Classification 9/29/09 20 Copyright 2007 - Trend Micro Inc. The Koobface Botnet

The Koobface Gang isn’t done yet...

Just recently, they’ve added some new functionalities such as: - C&C communication integrity check - GeoIP - a Firefox to IE cookie converter

Classification 9/29/09 21 Copyright 2007 - Trend Micro Inc. What is the real face of Koobface?

Classification 9/29/09 22 Copyright 2007 - Trend Micro Inc. The Koobface Botnet

What is the real face of Koobface?

- hard to paint - continuously changing - unfinished product - perpetual beta - with authors keeping tabs on what the security industry is doing to combat their creation

Classification 9/29/09 23 Copyright 2007 - Trend Micro Inc. Presenting… Koobface Then

Classification 9/29/09 24 Copyright 2007 - Trend Micro Inc. Presenting… Koobface Now

Classification 9/29/09 25 Copyright 2007 - Trend Micro Inc. More info…

http://us.trendmicro.com/us/trendwatch/research-and- analysis/white-papers-and-articles/index.html (PART I)

Yes, there will be PART II (soon)

Malware Blog http://blog.trendmicro.com

Koobface Tracker

Classification 9/29/09 26 Copyright 2007 - Trend Micro Inc. Questions?

Classification 9/29/09 27 Copyright 2007 - Trend Micro Inc.

Top View