The Real Face of Koobface Ryan Flores Jonell Baltazar Joey Costoya PresenterPresented By:Name Ivan Macalintal ClassificationVB 2009 Presenter Title 9/29/09 September 2009 “A single entity defined by the sum of its parts…” - Dunne, “The Lost Symbol” Chapter 18 Classification 9/29/09 2 Copyright 2007 - Trend Micro Inc. What is the real face of Koobface? Classification 9/29/09 3 Copyright 2007 - Trend Micro Inc. Koobface, not just a single piece of malware Group of malwares working together not only to form the Koobface botnet but to also support the business model of Koobface. - Main Downloaders - Social Network Propagation Components - Bloggers - Web Servers - URL Checkers - Captcha Breakers - FakeAVs - Web Search Hijackers - Rogue DNS Changers - Data Stealers - Koobface C&C - and many more…. Classification 9/29/09 4 Copyright 2007 - Trend Micro Inc. Koobface, an ever evolving threat Classification 9/29/09 5 Copyright 2007 - Trend Micro Inc. Koobface, an ever elusive C&C Classification 9/29/09 6 Copyright 2007 - Trend Micro Inc. Koobface, able to adapt As of July 19, 2009 Before Classification 9/29/09 7 Copyright 2007 - Trend Micro Inc. Koobface is… • Multi-component • Evolving • Elusive • with an adaptable malware writing group behind it! Classification 9/29/09 8 Copyright 2007 - Trend Micro Inc. What else? Classification 9/29/09 9 Copyright 2007 - Trend Micro Inc. The Koobface Botnet Some Koobface facts you probably didn’t know… Classification 9/29/09 10 Copyright 2007 - Trend Micro Inc. Koobface authors gets personal Classification 9/29/09 11 Copyright 2007 - Trend Micro Inc. Koobface blocks Akamai Classification 9/29/09 12 Copyright 2007 - Trend Micro Inc. Koobface, making good use of compromised sites Classification 9/29/09 13 Copyright 2007 - Trend Micro Inc. Koobface, most victims are Americans Classification 9/29/09 14 Copyright 2007 - Trend Micro Inc. Koobface uses Google’s Blogspot Classification 9/29/09 15 Copyright 2007 - Trend Micro Inc. But wait… there’s more!! Classification 9/29/09 16 Copyright 2007 - Trend Micro Inc. Koobface defeats Facebook URL blocking Classification 9/29/09 17 Copyright 2007 - Trend Micro Inc. Koobface info stealing Classification 9/29/09 18 Copyright 2007 - Trend Micro Inc. Koobface knows what you look like… Classification 9/29/09 19 Copyright 2007 - Trend Micro Inc. The Koobface Botnet Had enough??? Classification 9/29/09 20 Copyright 2007 - Trend Micro Inc. The Koobface Botnet The Koobface Gang isn’t done yet... Just recently, they’ve added some new functionalities such as: - C&C communication integrity check - GeoIP - a Firefox to IE cookie converter Classification 9/29/09 21 Copyright 2007 - Trend Micro Inc. What is the real face of Koobface? Classification 9/29/09 22 Copyright 2007 - Trend Micro Inc. The Koobface Botnet What is the real face of Koobface? - hard to paint - continuously changing - unfinished product - perpetual beta - with authors keeping tabs on what the security industry is doing to combat their creation Classification 9/29/09 23 Copyright 2007 - Trend Micro Inc. Presenting… Koobface Then Classification 9/29/09 24 Copyright 2007 - Trend Micro Inc. Presenting… Koobface Now Classification 9/29/09 25 Copyright 2007 - Trend Micro Inc. More info… http://us.trendmicro.com/us/trendwatch/research-and- analysis/white-papers-and-articles/index.html (PART I) Yes, there will be PART II (soon) Malware Blog http://blog.trendmicro.com Koobface Tracker Classification 9/29/09 26 Copyright 2007 - Trend Micro Inc. Questions? Classification 9/29/09 27 Copyright 2007 - Trend Micro Inc..