Earlier last week, we first posted our usual warning about the spike in Koobface threats that our ThreatFire users were being protected against on their systems. That post set off some interest in the worm again. The last spike in the worm coincided with Dancho Danchev’s post in November, following the first report in July of high worm prevalence.
Because requests for information and assumptions that the redirection to a video download make it Zlob have been repeated, and because the worm’s components are actively being re-distributed in high prevalence, we’ll spill another Dancho sized mug of coffee over additional and current technical details.
But first, an interesting note for users is that the social engineering scheme used to persuade users into installing the worm does not match the Adobe Flash Player install that the malware distributors are trying to spoof.
On a visit to the real adobe.com site, the user can click on an image to update their flash player:
Internet Explorer users visiting the Flash player install page then can hit “Agree”, and they are provided with an ActiveX install. When Firefox and Chrome users visit the authentic Flash player install site and click on “Agree”, they are prompted to install a file by the name of “install_flash_player.exe”. Neither of these names are used by the worm distributors. The worm is provided as “flash_update.exe”.
Multiple Koobface files are currently of interest here: flash_update.exe, bolivar29.exe, fmark2.dat, multiple batch files that delete these executables, tt_1209658078.exe, 351631.dll and tinyproxy.exe. Keep in mind that the end goal is to spread the 351631.dll file and the tinyproxy.exe files, installing them as a Bho and system service (in the lab, it was installed as the “Shell Hardware Detection (ShellHWDetection)” system service). Both of these components are nasty little bits of adware. When the bho identifies that a user is using a specific search engine, like google or yahoo, they are redirected to other sites. Ads are popped as well.
These were the files installed via a flash_update.exe executable being distributed and run a few hours ago from an unfortunate infected server in Serbia sitting on a home cable internet connection.
Flash_update.exe is a small executable simply packed with upx and encoded to obfuscate strings (http download links, interesting cookie information, etc):
It drops c:windowsbolivar29.exe, (an exact duplicate of itself) and calls CreateProcessA on that file to run it.
It writes a batch file to c: to delete itself, and calls CreateProcessA on the batch file and exits.
Bolivar29.exe is an exact duplicate of flash_update.exe. When started, it checks its own filename. If it is bolivar29.exe, the infection has already occured, so it doesn’t need to drop another copy of itself. It looks for looks for ed323432006.dat on the c: drive and checks for social networking “cookies” and data files. It drops another file, tt_1228867129.exe, into the temp directory, that POSTS back to a web server:
User-Agent: Mozilla/5.01 (Windows; U; Windows NT 5.1; ru; rv:126.96.36.199) Gecko/20040201 Firefox/3.0.4
f=0&a=-xxx&v=19&c=2&s=fb&l=&ck=1&c_fb=1&c_ms=0&c_hi=0&c_be=0&c_fr=0&c_yb=0HTTP/1.1 200 OK
Date: Wed, 10 Dec 2008 xx:xx:xx GMT
Server: Apache/2.2.3 (CentOS)
It pulls the files listed in the response down and installs them.
Tinyproxy.exe is the final install. When it is installed as a service and interacts with the Bho dll it proxies and redirects the infected system’s browser to multiple ad sites. The file itself is copied with Hidden and System attributes, so on most systems, the file is not displayed in a “c:program filestinyproxy” folder window.
Last week this file was hosted at the American International Baseball Club web server in Vienna (www.aibc.vienna.org), even though some reports stated it had been taken down. This lastest infection shows that the files are served up at another compromised server. Here is a link to the Bho installer: www.team ga.c om/images/g ames/gif/ 6243.exe.
Last week, we saw our IE web browser redirected to ads from Yahoo! HotJobs, the March of Dimes Foundation, and constant redirections to www-find-www.com and 188.8.131.52.
This time, when we opened a browser to Yahoo!, searched on “Cha Ca Vietnam” and clicked on a result, our browser was redirected to “http://www-find-www.net/?q=cha%20ca”
When we opened a browser to Google on the infected system, searched on “Cha Ca Vietnam” and clicked on a result, a new window popped open to
with a final redirection to
global mess continues on as a massive financially motivated browser hijacking scam.