His early versions date back to late 2008 and since then continues In-the-Wild with an infection rate of concern. Thus, the same company released a series of preventive measures to minimize the potential risk of infection, which is constantly latent for users who use the social network.
In principle, the usual means of dissemination used Koobface is via web through Visual Social Engineering and is the first facet of propagation.
The second facet (infection) channeled their malicious actions in a very common at present, based on a combination of malware, creating a symbiosis where each component of ambient display instructions to seek a common objective and comprehensive.
But let's see which are these components that form a part of the stage of infection of the variant Koobface. NBO. This worm, detected nowadays by approximately 31 companies antivirus of 41 (75.61 %), on having infected the system establishes connection with the following URL's:
- http://oberaufseher.net/img/cmd.php
- http://pornfat.net/img/cmd.php
- TrojanDownloader.Small.OCS Troyano
- Tinxy.AD Troyano
- Tinxy.AF Troyano
- BHO.NOE Troyano
- Koobface.NBH gusano
- PSW.LdPinch.NEL Troyano
From the technical point of view, some data can be collected in the brief preliminary analysis of each of the malicious code downloaded by Koobface:
The trojan TrojanDownloader.Small.OCS has a detection rate of 35/40 (87.5%) creates keys in the registry and backs himself.
Finally, download a variant of the family, the worm Koobface.NBH, in this case, the detection rate was 27/40 (approx. 67.50%).
As we can see, the infection of this malware isn't just limited to malicious instructions they have, but it goes beyond that and download another. This action is a common behavior in the present, where the fusion of Web applications and control of botnets and the administration of different types of malware, joining forces with a common goal: improving the economics of crime.
# Jorge Mieres
The trojan TrojanDownloader.Small.OCS has a detection rate of 35/40 (87.5%) creates keys in the registry and backs himself.
- HKLM\SOFTWARE\Microsoft\MSSMGR\
- HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify\winccf32
- C:\WINDOWS\system32\winccf32.dll (copy of itself).
- C:\windows\ld09.exe
- C:\docume~1\user\locals~1\temp\podmena.bat
- C:\WINDOWS\system32\SYSDLL.exe (copy of itself)
- netsh add allowedprogram "SYSDLL" C:\WINDOWS\System32\SYSDLL.exe ENABLE
- netsh firewall add portopening TCP 80 SYSDLL ENABLE
- netsh firewall add portopening TCP 7171 SYSDLL ENABLE
- netsh winhttp set proxy proxy-server="http=localhost:7171" Agrega la informaciĆ³n del proxy en:HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /d "http=localhost:7171" /f
- C:\WINDOWS\system32\796525
- C:\WINDOWS\system32\796525\796525.dll
Finally, download a variant of the family, the worm Koobface.NBH, in this case, the detection rate was 27/40 (approx. 67.50%).
As we can see, the infection of this malware isn't just limited to malicious instructions they have, but it goes beyond that and download another. This action is a common behavior in the present, where the fusion of Web applications and control of botnets and the administration of different types of malware, joining forces with a common goal: improving the economics of crime.
# Jorge Mieres
No comments:
Post a Comment