Tuesday, December 1, 2009

Koobface campaign spread through Blogspot

A massive campaign to spread the worm is Koobface In-the-Wild using blogs as a strategy generated from the Blogspot service.

Koobface has become a nightmare for social networks and even though its propagation strategies do not change, this malware is almost two years of activity with a significant rate of infection, making it one of the largest botnets today.

Blogspot domains used as cover for the spread are:

pannullonumair.blogspot.com
haladynalatosha.blogspot.com

macdougalmuskan.blogspot.com

mailletjamaica.blogspot.com

ledrewrooney.blogspot.com

brasenoktayoktay.blogspot.com

toludestany.blogspot.com

edgarbillison.blogspot.com

piotrowiczlyanne.blogspot.com

brochoiredeedee.blogspot.com

decuyperantohny.blogspot.com

derrenpassini.blogspot.com

elsenelsenumthun.blogspot.com

elsyelsysalah.blogspot.com

fanjonappuappu.blogspot.com

fredrikadantos.blogspot.com

genelleabril.blogspot.com

gilkerharjyot.blogspot.com

hadzilashawn.blogspot.com

insalacotecwyn.blogspot.com

janitasaels.blogspot.com

jodelinscheufler.blogspot.com

jones-allentammey.blogspot.com

jurgisbooty.blogspot.com

karanjeetisoardi.blogspot.com

dralleboyeboye.blogspot.com

maidenhermann.blogspot.com

messer-bustamantetimpriss.blogspot.com

murachaniananoushka.blogspot.com

nevnevsculthorpe.blogspot.com

parrisvistisen.blogspot.com

porierkunlekunle.blogspot.com

rotermundraimon.blogspot.com

sharonyacorvil.blogspot.com

sodorabardan.blogspot.com

tendaiblunk.blogspot.com

turskeybrianna.blogspot.com

zhuochengbate-pelletier.blogspot.com

ziziziziboyter.blogspot.com

Who accesses one of these domains redirected to a page that simulates the typical YouTube screen. We then see a catch.

Immediately after, try to download a binary called "setup.exe" (md5 6d8ac41c64137c91939cced16cb5f2fe) which has a low average detection rate. This binary, in turn takes care of downloading and executing other malicious code.
Each of these files are downloaded from domains Style "homemadesandwiches.com/.sys/?getexe=ff2ie.exe".

The binary v2captcha.exe handles breaking the captcha that asks for registration blogspot blogs, creating massive randomly and the same, and then redirected to the download of Koobface through, as I mentioned at the beginning, a false YouTube page that uses the same visual social engineering approach used in other campaigns similar spread.

Undoubtedly Koobface is another malicious code that uses persistence despite many of its variants are detected by most antivirus companies.

Related information
Symbiosis malware present. Koobface

Jorge Mieres
Pistus Malware Intelligence

1 comment:

Anonymous said...

More domains showing similar activity

http://malc0de.com/tools/db.php?search=ff2ie.exe