One question that people often ask when we describe how millions of computers are infected with malware is "Why would anyone do that?" The answer of course is: MONEY.
Some of these money making schemes are so convolluted that it seems unlikely that anyone could make any money at them, but even if they only make a couple pennies per day on each machine, when you have millions of compromised machines, that adds up over time.
Ellen Mesmer of Network World documented America's Ten Most Wanted Botnets last month, and placed Zeus at #1, followed by Koobface at #2. That's a pretty good prioritization system, and one we are following at UAB in our Malware Analysis lab. Zeus is straight-forward. It steals money by compromising their banking credentials, and stealing the money out of their bank accounts. Koobface is far more subtle. With more than 2.9 million compromised American computers, its well worth looking at closer.
UAB Computer Forensics now has three Malware Analysts looking at malware. Brian Tanner, the most senior of the crew, has been looking at Koobface on a regular basis since January, and has a good understanding of how it works. He walked me through the paces yesterday, explaining the most recent version, starting by clicking on a link posted by a "friend" we maintain on Facebook because we can always count on him to provide a link to the current malware.
In this case, the link appeared to be a "video" that our friend wanted us to play. In reality, it caused our goat machine to fetch a URL from the site:
That fetch actually pulled another file called "ups.php", which caused us to run code from:
That program maintains a list of compromised Facebook user computers, and sends us to one of them to retrieve a page. On our first fetch, I got a page that looked like this:
Reloading the page repeatedly took us on a world tour of Koobface infected computers:
126.96.36.199 - Israel
188.8.131.52 - Spain
184.108.40.206 - France
220.127.116.11 - Israel
18.104.22.168 - United States
22.214.171.124 - Canada
126.96.36.199 - Israel
188.8.131.52 - Australia
184.108.40.206 - Morocco
220.127.116.11 - United Kingdom
18.104.22.168 - Chile
22.214.171.124 - United States
126.96.36.199 - Sweden
188.8.131.52 - Algeria
184.108.40.206 - Israel
220.127.116.11 - United States
Network Administrators, each of these pages (today) was loading the malware from a path called /0x3e8/. If you see anyone hitting that path on any of your IP addresses, you may have a Koobface infection on your network.
Each page was 100% identical to each other page.
After seeing the page, a program runs so that when you next click a mouse button or type a key, you receive a popup message telling you that you need to upgrade your Flash Player in order to see the video your friend is trying to share with you.
Of course, THAT is what infects your computer. You are prompted to download and execute a file called 'setup.exe' which is the actual Koobface malware. Once downloaded, the bad guys can cause your computer to do many new things.
A VirusTotal report on this malware indicates that it is currently detected by 23 of 41 anti-virus products, up by five from the 18 of 41 that detected it last night.
Network Administrators can recognize infected machines because they will communicate with some of the following Command & Control domains for this version of Koobface:
and of course as we already mentioned, masa31082009.com.
Tanner unpacked the setup.exe binary and was able to find strings indicating that the malware knows how to interact with several social networking sites, including:
But how does the site make money? Koobface is the "infect and spread" function, but other malware dropped to our computer performed the "monetize" function. In our case, Koobface's command & control (C&C) server at suz11082009.com (18.104.22.168) gave us several .exe files, including ff2ie.exe, fb.61.exe, and v2prx.exe. These were copied to other file names after being downloaded, including "pp11.exe" and "mset.exe".
In our case, a fake anti-virus product, also known as a "scareware" installation, was downloaded and began pestering us relentlessly that our machine was infected with viruses and that we needed to purchase a copy of their fake anti-virus product in order to stop these messages from popping up. In our case the fake product was "PC AntiSpyWare 2010".
That is the more obvious money-maker. Its amazing how many people fall for this scam! Previous busts of scareware vendors indicate that they have dozens of employees in their companies and have sold millions of dollars worth of the fake products! The scam is described on the FTC's website as Free Security Scan Could Cost Time and Money, and took action against companies in December 2008, and June 2009 against one company who successfully sold their fake product to more than 1 million consumers!
That's $40 Million Dollars!
The other way that these companies make money is through "affiliate advertising programs". Brian Tanner demonstrated for me in the lab. On an uninfected computer, when one does a Google search, Google returns results, and then you can visit the pages by clicking on the link in the results tab. On a computer that had been infected with Koobface, a secondary infection had been downloaded which caused search results to be redirected through an elaborate network of affiliate advertising programs. In order to prevent too much suspicion, it seems that a random chance is performed before deciding whether to give you your real page, or take you to an advertising page instead.
Some examples that Brian showed me included:
Search for "dog" or "cat" -- took us to the 3M Scotch Fur Remover page, no matter what Google result we clicked on.
Search for "cheap games" -- took us to the Geek Life page (gklife.com), no matter what Google result we clicked on.
Search for "Symantec" or "McAfee" -- took us to "stopsign.com", no matter what Google result we clicked on.
By looking at a network packet capture, we could see that we were being routed through many hops, that usually began with a computer called "findy31.com".
So, findy31.com (22.214.171.124) would send us to "kc.mv.bidsystem.com" which would send us to "kc.xmlseasrch.miva.com" (126.96.36.199), which sent us to "www.toseeka.com".
Or, findy31.com would send us to xmlsearch.miva.com, which sent us to "www.shopica.com".
Of, findy31.com would send us to "atl.mv.bidsystem.com", which sent us to "atl.xmlsearch.miva.com" (188.8.131.52), which sent us to "www.stopsign.com".
Several of the pages we were redirected through are legitimate advertisement affiliate programs, which pay webmasters for referring traffic to their sites. The problem here is that some "bad affiliates" have joined their program, and are redirecting traffic by use of search engine result manipulation, instead of legitimately interested customers choosing to click on advertisements.
Brian's other discovery was in his analysis of the malware which performs the redirection. That malware had several hardcoded addresses to control its function, including some IP addresses, such as 184.108.40.206, 220.127.116.11, 18.104.22.168, 216.245,196.234, and also some domain names, including fire***eye.com, and f***briankrebs.com, and antisgetout.cn.
We shared the Brian Krebs domain with our friend at the Washington Post, who authors the excellent column "Security Fix". He responded with today's column From Koobface with Love, where he and Alex Lanstein from FireEye, another great security researcher, reflect on what it means to have a malware domain named after themselves. Alex calls it "a feather in his cap." Well done, gentlemen! Keep up the good fight!