Tuesday, December 9, 2008

Koobface Leaves Victims the Black Spot

Koobface worm has already been described enough, but a few details about its functionality can still be interesting to the reader. This post is an attempt to crack it to the bottom.


Koobface starts from checking if its own file name is %windows%\bolivar[number].exe, where [number] is a decimal number that depends on the build of the worm.

If its file name is not %windows%\bolivar[number].exe, it will copy itself under that name, run that file, drop a temporary batch file (e.g. c:\653ad216543.bat) with the commands to delete its own executable (it can't delete itself while it's running), and quit.

When it runs as %windows%\bolivar[number].exe, it will create the mutex object "4334dfgdfgdf5" in order to make sure that there is only one instance of Koobface running on the system.

It then returns the handle to the foreground window (the window with which the user is currently working) and check if that window is Internet Explorer. If that's the case, it will create an object that will be an invisible instance of Internet Explorer. It will then use that object to navigate across Facebook site and parse its contents.

The worm drops and runs file c:\1.reg in order to create the values:


in the registry key:

HKEY_CLASSES_ROOT\Mime\Database\Content Type\application/xhtml+xml

These registry modifications will force Internet Explorer to display application/xhtml+xml MIME type pages without a download prompt.

Koobface retrieves the default system directory for storing cookies by querying the value "Cookies" from the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Next, it enumerates all cookies looking for the ones created by facebook.com, myspace.com, and bebo.com websites.

Koobface then makes a DNS query to find out what IP address corresponds to the name y171108.com. For different variants this domain name is different, but its format appears to be constant: [letter][date].com, e.g. a22092008.com, f071108.com, z13092008.com.

The name server replies the DNS request with an IP

This IP address is the command and control (C&C) server for Koobface - it accepts data that Koobface collects on a compromised host and replies back instructions of what Koobface should do.

The collected data is delivered by Koobface in the POST request submitted to /fb/first.php resource of C&C server. The POST string is assembled from the parameters - like these:


For example, "ck" parameter is equal to "0" if Koobface could not find facebook.com cookie, or "1" if the cookie was found.


The C&C returns back instructions that may depend on the data that Koobface delivers to the C&C server - these can be considered backdoor commands which also makes Koobface a backdoor trojan.

Some of the commands that Koobface can be instructed to perform are listed below:










  • WAIT





  • TEXT_B




  • TEXT_M


  • LINK_M


  • TEXT_C



  • EXIT

Those commands that require parameters will have them appended and delimited with the "|" character. For example, C&C may return these commands:


The first command is START - Koobface will perform it this way:

  • it will create a temporary file c:\tmark25[random_number].dat

  • it will then download an executable file from the specified URL saving it as the temporary file

  • it will then copy that file as %temp%\tt_[random_number].exe, then run it

The aforementioned executable will be downloaded either from www.teamtga.com or from www.gameland.ro - according to the parameter returned at the time of this writing. A couple of days ago this was www.aibcvienna.org. A few hours from now it could be a different URL.

The C&C must have an updatable database of compromised web servers from which the Koobface client will be instructed to download and run executables. Once one compromised site is cleaned or taken down, the C&C database will be updated to feed a different URL to its clients.

On RESET command, Koobface will delete the temporary files and re-start its workflow.

On STARTIMG command, it will download a file from the specified URL, save it as c:\tmark25[random_number].dat, decrypt it, parse the decrypted contents, locate URL inside it, then download an executable from that URL, save it as %temp%\tt_[random_number].exe, and finally run that executable.

On UPDATE command, the worm will download an updated build from the specified URL, save it as %temp%\tt_[random_number].exe, run it and quit.

On EXIT, it will simply quit.

Other commands may specify additional global parameters or modes.


Before it continues, Koobface makes a final query to its C&C server's resource achcheck.php.

If the server responds ACH_OK, the worm goes ahead.

The user-agent string that identifies the client browser is set by Koobface to:
User-Agent: Mozilla/5.01 (Windows; U; Windows NT 5.2; ru; rv: Gecko/20040201 Firefox/3.0.3

The user-agent language tag, that indicates the language for which the client had been localized, is "ru": Russian.

This explains #BLACKLABEL token returned by the C&C server - it's the result of translation of The Black Spot term (from the novel Treasure Island by Robert Louis Stevenson) into Russian, and then back into English.

Once the victim is "given the Black Spot", Koobface locates the cookie left by facebook.com in the cookie cache, then reads it and uses its contents to connect to Facebook website.

For example, if the cookie's contents starts from:

then the GET request submitted by Koobface will look like shown below (check the "datr" value - it is taken from the cookie):

This allows Koobface to connect to Facebook account by using current user's login session. Thus, it does not need to know user's login credentials. As long as the user stays connected to the Facebook account, the worm freely accesses it as if it was the user.

Once connected, the worm opens up several Facebook resources such as home.php, profile.php, group.php. It navigates to the page http://www.facebook.com/friends/?view=everyone in order to obtain the list of the user's friends.

If it locates a friend, it submits a POST request to its C&C server's resource /fb/gen.php. The POST request contains details similar to the ones below:


The C&C server responds the following parameters:

TITLE_M|Cool nice video with you.

These parameters is a template for a new message that Koobface should send to the contacts. It then navigates to the page /inbox/?compose within Facebook website, composes a new message and submits it from the user's name:

Before the message is dispatched, Facebook returns CAPTCHA challenge to resolve. This security measure is implemented to protect users from threats like Koobface.

In the real test, Facebook.com asked the Koobface to resolve the CAPTCHA image that reads "suffer accorn" - this image was pretty noisy for image recognition algorithms to resolve it successfully. But Koobface does not attempt to resolve it by itself. It submits this image to its C&C server. The server replies correct answer in about 34 seconds. Once the answer is received, Koobface submits the message via Facebook's compromised account including correct CAPTCHA answer:


In order to test Koobface replication in action, there were 2 fake accounts created: "Eno Koob Acef" and "Owt Koob Acef" ("Face Book One" and "Face Book Two" reversed). Both accounts were mutually declared as friends.

If the computer logged on to the second account is compromised with Koobface, the worm will use its login session, it will locate "Eno Koob Acef" as its friend, and it will send it a message.

The image below shows the inbox of the first account ("Eno Koob Acef") - it contains a new message from the 2nd account ("Owt Koob Acef") with the subject "Cool nice video with you."

When the user clicks the new message link, Facebook.com will open that message:

The message contains a URL that points to a private page hosted at geocities.com web site. When that link is clicked, the browser will redirect the message recipient to the following page:

The page has a header "Secret video by [infected_user_name] - Flash Player Installation". It even has fake testimonials. The page suggests installing a newer version of Flash Player, which of course is not a Flash Player. It's a file called flash_update.exe, and it's a new copy of Koobface. If the Facebook user runs it thinking it's a Flash Player update, the worm will now replicate to this user's friends the same manner it did before, and so on, and so on.


At one point of its execution, Koobface submitted GET request to facebook.com:

The purpose of this request is not quite clear. It might potentially be related to some advertising program within Facebook (e.g. similar to Google AdSense), but this is a guess...

Nevertheless, if it's about the money generated by clicking ads by Koobface, the ads that are allocated by Facebook within other peoples' profiles, then its business model becomes more evident. It may even potentially include manual labor in breaking the CAPTCHAs (it's not free) - at least it explains a 34 seconds inter-server delay in solving it.