Earlier this week, we first posted our usual warning about the spike in Koobface threats that our ThreatFire users were seeing. That post set off some interest in the worm again. The last spike in the worm coincided with Dancho Danchev’s post in November, following the first report in July of high worm prevalence.
Because requests for information and assumptions that the redirection to a video download make it Zlob have been repeated, some additional technical detail will be of interest here.
First, an interesting thing to note for users is that the social engineering scheme used to persuade users into installing the worm is off. When Internet Explorer users visit Adobe’s Flash player install site and hit “Agree”, they are provided with an ActiveX install. When Firefox and Chrome users visit the authentic Flash player install site and click on “Agree”, they are prompted to install a file by the name of “install_flash_player.exe”. Neither of these names are used by the worm distributors, the worm is provided as “flash_update.exe”.
Multiple files are currently of interest here: flash_update.exe, bolivar27.exe, bolivar28.exe, fmark2.dat, multiple batch files that delete these executables, tt_1209658078.exe and tinyproxy.exe.
These were the files installed via a flash_update.exe executable being distributed a few hours ago.
Flash_update.exe is a small executable simply packed with upx and encoded to obfuscate strings (http download links, interesting cookie information, etc).
Tinyproxy.exe is the final install. It is installed as a service, and acts as a Bho, redirecting the infected system’s browser to multiple ad sites. The file itself is copied with Hidden and System attributes, so on most systems, the file is not displayed in a “c:program filestinyproxy” folder window.
We saw it redirect our system to ads from Yahoo! HotJobs, the March of Dimes Foundation, and constant redirections to www-find-www.com and 126.96.36.199. It does this redirection in a tricky manner. Only when we visited Google and then clicked on a result link was our browser redirected to an ad site.
Mr. Danchev claimed that this file, hosted at the American International Baseball Club web server in Vienna (www.aibc.vienna.org), was taken down (indicating a compromise), but unfortunately that does not seem to be the case.