The Real Face of Koobface
The Real Face of Koobface
Ryan Flores Jonell Baltazar Joey Costoya PresenterPresented By:Name Ivan Macalintal ClassificationVB 2009 Presenter Title 9/29/09 September 2009 “A single entity defined by the sum of its parts…”
- Dunne, “The Lost Symbol” Chapter 18
Classification 9/29/09 2 Copyright 2007 - Trend Micro Inc. What is the real face of Koobface?
Classification 9/29/09 3 Copyright 2007 - Trend Micro Inc. Koobface, not just a single piece of malware
Group of malwares working together not only to form the Koobface botnet but to also support the business model of Koobface. - Main Downloaders - Social Network Propagation Components - Bloggers - Web Servers - URL Checkers - Captcha Breakers - FakeAVs - Web Search Hijackers - Rogue DNS Changers - Data Stealers - Koobface C&C - and many more….
Classification 9/29/09 4 Copyright 2007 - Trend Micro Inc. Koobface, an ever evolving threat
Classification 9/29/09 5 Copyright 2007 - Trend Micro Inc. Koobface, an ever elusive C&C
Classification 9/29/09 6 Copyright 2007 - Trend Micro Inc. Koobface, able to adapt
As of July 19, 2009
Before
Classification 9/29/09 7 Copyright 2007 - Trend Micro Inc. Koobface is…
• Multi-component • Evolving • Elusive • with an adaptable malware writing group behind it!
Classification 9/29/09 8 Copyright 2007 - Trend Micro Inc. What else?
Classification 9/29/09 9 Copyright 2007 - Trend Micro Inc. The Koobface Botnet
Some Koobface facts you probably didn’t know…
Classification 9/29/09 10 Copyright 2007 - Trend Micro Inc. Koobface authors gets personal
Classification 9/29/09 11 Copyright 2007 - Trend Micro Inc. Koobface blocks Akamai
Classification 9/29/09 12 Copyright 2007 - Trend Micro Inc. Koobface, making good use of compromised sites
Classification 9/29/09 13 Copyright 2007 - Trend Micro Inc. Koobface, most victims are Americans
Classification 9/29/09 14 Copyright 2007 - Trend Micro Inc. Koobface uses Google’s Blogspot
Classification 9/29/09 15 Copyright 2007 - Trend Micro Inc. But wait… there’s more!!
Classification 9/29/09 16 Copyright 2007 - Trend Micro Inc. Koobface defeats Facebook URL blocking
Classification 9/29/09 17 Copyright 2007 - Trend Micro Inc. Koobface info stealing
Classification 9/29/09 18 Copyright 2007 - Trend Micro Inc. Koobface knows what you look like…
Classification 9/29/09 19 Copyright 2007 - Trend Micro Inc. The Koobface Botnet
Had enough???
Classification 9/29/09 20 Copyright 2007 - Trend Micro Inc. The Koobface Botnet
The Koobface Gang isn’t done yet...
Just recently, they’ve added some new functionalities such as: - C&C communication integrity check - GeoIP - a Firefox to IE cookie converter
Classification 9/29/09 21 Copyright 2007 - Trend Micro Inc. What is the real face of Koobface?
Classification 9/29/09 22 Copyright 2007 - Trend Micro Inc. The Koobface Botnet
What is the real face of Koobface?
- hard to paint - continuously changing - unfinished product - perpetual beta - with authors keeping tabs on what the security industry is doing to combat their creation
Classification 9/29/09 23 Copyright 2007 - Trend Micro Inc. Presenting… Koobface Then
Classification 9/29/09 24 Copyright 2007 - Trend Micro Inc. Presenting… Koobface Now
Classification 9/29/09 25 Copyright 2007 - Trend Micro Inc. More info…
http://us.trendmicro.com/us/trendwatch/research-and- analysis/white-papers-and-articles/index.html (PART I)
Yes, there will be PART II (soon)
Malware Blog http://blog.trendmicro.com
Koobface Tracker
Classification 9/29/09 26 Copyright 2007 - Trend Micro Inc. Questions?
Classification 9/29/09 27 Copyright 2007 - Trend Micro Inc.