The KOOBFACE botnet became known for using popular social network sites as vector for propagation and abusing these platforms for malicious purposes. Currently, it has been observed that KOOBFACE does not actively propagate via social networks, but rather propagates via a torrent peer-to-peer network through Trojanized shared application files.
Based on our research, we found a “loader” being used by KOOBFACE, which is a component responsible for downloading other components. This loader arrives on the victim’s computer either by downloading Trojanized torrent files, or through a new component of KOOBFACE named “tor2.exe”, which is detected as WORM_KOOBFACE.AV.
WORM_KOOBFACE.AV, upon execution, connects to the C&C domain to request a torrent file. Once received, it executes a torrent client, which is found in the resource section of the binary, onto the affected system. This torrent client, a 2.2.1 version of uTorrent, is executed such that it is not visible to the user and runs as a background process.
The torrent client is used to download the files referenced by the previously downloaded torrent file from the C&C. A sample of the downloaded torrent file references 4 files, which is supposedly an Adobe Lightroom installer package:
- setup.exe – decrypts and executes setup3.cab, and then executes setup2.cab
- setup1.cab – downloader of other component binaries
- setup2.cab – actual installer of Adobe Lightroom software
- setup3.cab – decrypts and executes setup1.cab
The files setup.exe, setup1.cab, and setup3.cab are detected as TROJ_MALAGENT.FA, TROJ_DLOADER.SPA, and TROJ_DLOADER.KOO respectively.
Note that affected systems running the WORM_KOOBFACE.AV are running a hidden torrent client process, thus making the system a “peer” that is seeding or hosting the malicious binaries. The more seeders there are for a specific torrent file, the more likely it is for other users to download them, since they promise a faster download.
KOOBFACE Trojanized Torrents in Popular Torrent Sites
Unwitting users looking for pirated copies of popular software such as games, PC utilities, or productivity software are in for a surprise, as these Trojanized software torrents are found on popular torrent sites. The following is a partial list of the observed torrent file names Trojanized by KOOBFACE:
- 65_Silent_Scream_The_Dancer.torrent
- 67_Dark_Ritual.torrent
- 68_Celtic_Lore_Sidhe_Hills.torrent
- 69_Lightroom.torrent
- 71_SystemCare.torrent
- WinrRAR_4_Beta_7.torrent
- 72_Voodoo_Whisperer.torrent
- 73_Allore_And_The_Broken_Portal.torrent
- 74_Secret_of_Hildegards.torrent
- 75_Mystery_Chronicles.torrent
- 76_Magical_Mysteries.torrent
Searching for these torrent names shows several results of torrent sites hosting them. The following image shows our example torrent, 69_Lightroom.torrent, found in BitSnoop Torrent hosting site.
Another notable aspect of this technique is the usage of several component files and their encryption. Using several component binaries and encrypting some of these components, the botnet components avoid detection from anti-virus scanners of torrent file servers. Several component binaries working together to reach a certain goal makes analysis longer and harder. Also, having a copy of just one component binary may cause the analyst to lead to a conclusion that it is not a malware since the analyst needs the other components to see what the real objective the malware is.
The shift from concentrating on propagating through social networks to torrent P2P network may be a result of the efforts by the targeted social networks to prevent the KOOBFACE botnet from abusing their framework. Despite this change, users should be aware that the KOOBFACE gang has not stopped in coming up with schemes to infect users. They are simply looking for other means to do so.
Past KOOBFACE-related blog entries:
Leave a reply
