Posted on 07/23/2009 1:07:44 PM PDT by Cindy
SNIPPET: "UPDATE: The Koobface gang is upgrading the command and control infrastructure in response to the positive ROI out of the takedown activities."
SNIPPET: "Related posts: Dissecting Koobface Worm's Twitter Campaign Dissecting the Koobface Worm's December Campaign Dissecting the Latest Koobface Facebook Campaign The Koobface Gang Mixing Social Engineering Vectors"
(Excerpt) Read more at ddanchev.blogspot.com ...
http://blog.trendmicro.com/new-koobface-upgrade-makes-it-takedown-proof/
Jul
22
“New KOOBFACE Upgrade Makes It Takedown-Proof”
7:51 am (UTC-7) | by Jonell Baltazar (Advanced Threats Researcher)
SNIPPET: “KOOBFACE made waves in social networking sites by using infected users’ profiles to infect other users and therefore propagate. We have chronicled its activities in the following blog posts:
KOOBFACE Increases Twitter Activity
New KOOBFACE Component: a DNS Changer
KOOBFACE Tweets
KOOBFACE Tries CAPTCHA Breaking
New Variant of KOOBFACE Worm Spreading on Facebook
Worms Wriggling Their Way Through Facebook”
Previously...
http://ddanchev.blogspot.com/2009/07/dissecting-koobface-worms-twitter.html
WEDNESDAY, JULY 15, 2009
“Dissecting Koobface Worm’s Twitter Campaign”
Posted by Dancho Danchev
Blog:
http://ddanchev.blogspot.com/2009/08/movement-on-koobface-front-part-two.html
WEDNESDAY, AUGUST 19, 2009
“Movement on the Koobface Front - Part Two”
Posted by Dancho Danchev
#
Previously...
http://ddanchev.blogspot.com/2009/08/movement-on-koobface-front.html
TUESDAY, AUGUST 04, 2009
“Movement on the Koobface Front”
Posted by Dancho Danchev
Blog:
http://ddanchev.blogspot.com/2009/09/koobface-botnets-scareware-business.html
WEDNESDAY, SEPTEMBER 16, 2009
“Koobface Botnet’s Scareware Business Model”
Posted by Dancho Danchev
blog:
http://ddanchev.blogspot.com/2009/10/koobface-botnet-dissected-in-trendmicro.html
WEDNESDAY, OCTOBER 14, 2009
“Koobface Botnet Dissected in a TrendMicro Report”
Posted by Dancho Danchev
SNIPPET: “I’d like to thank the folks at TrendMicro for mentioning the message inserted by the Koobface gang (more love on a first-name basis from them) within their command and control infrastructure for nine days, greeting me for systematically kicking them out of their ISPs, and suspending their command and control domains, in a new report entitled The Heart of Koobface - C&C and Social Network Propagation:”
ON THE INTERNET:
Blog:
http://ddanchev.blogspot.com/2009/10/koobface-botnet-redirects-facebooks-ip.html
WEDNESDAY, OCTOBER 21, 2009
“Koobface Botnet Redirects Facebook’s IP Space to my Blog”
(Posted by Dancho Danchev at Wednesday, October 21, 2009)
SNIPPET: “The result? Earlier this morning, I’ve noticed over 7,000 unique visits coming from Facebook Inc’s IP space using active and automatically blogspot accounts part of the Koobface botnet as http referrers (New Koobface campaign spoofs Adobe’s Flash updater), which is now officially relying on already infected hosts for the CAPTCHA recognition process.”
SNIPPET: “A representative from Facebook’s Security Incident Response Team just confirmed the development, and commented...”
Blog:
http://ddanchev.blogspot.com/2009/11/koobface-botnets-scareware-business.html
WEDNESDAY, NOVEMBER 11, 2009
“Koobface Botnet’s Scareware Business Model - Part Two”
(Posted by Dancho Danchev at Wednesday, November 11, 2009)
SNIPPET: “UPDATED - Tuesday, November 17, 2009: Koobface is resuming scareware (Inst_312s2.exe) operations at 91.212.107.103 which was taken offline for a short period of time. ISP has been notified again, action should be taken shortly. The current domain portfolio including new ones parked there:”
Blog:
http://ddanchev.blogspot.com/2009/11/massive-scareware-serving-blackhat-seo.html
TUESDAY, NOVEMBER 17, 2009
“Massive Scareware Serving Blackhat SEO, the Koobface Gang Style”
(Posted by Dancho Danchev at Tuesday, November 17, 2009)
SNIPPET: “Ali Baba and the 40 thieves LLC are once again multi-tasking, this time compromising hundreds of thousands of web sites, and redirecting Google visitors — through the standard http referrer check — to scareware serving domains.
What’s so special about the domains mentioned in Cyveillance’s post, as well as the ones currently active on this campaign? It’s the Koobface connection.”
Blog:
http://ddanchev.blogspot.com/2009/11/koobface-botnet-starts-serving-client.html
WEDNESDAY, NOVEMBER 25, 2009
“Koobface Botnet Starts Serving Client-Side Exploits”
Posted by Dancho Danchev
SNIPPET: “UPDATED, Thursday, November 26, 2009: The gang has currently suspended the use of client-side exploits, let’s see if it’s only for the time being or indefinitely.”
http://ddanchev.blogspot.com/2009/11/koobface-botnet-starts-serving-client.html
WEDNESDAY, NOVEMBER 25, 2009
“Koobface Botnet Starts Serving Client-Side Exploits”
Posted by Dancho Danchev
SNIPPET: “UPDATED, Saturday, November 28, 2009: Following yesterday’s experiment with bit.ly redirectors, relying on a “visual social engineering element” by adding descriptive domains after the original link — bit.ly/588dmE?YOUTUBE.COM/ea05981d43, which works with any generated bit.ly link, the gang is now spamvertising links using Google News redirection to automatically registered Blogspot accounts, whose CAPTCHA challenge has been solved by the already infected with Koobface victims, a feature that is now mainstream, compared to the gang’s previous use of commercial CAPTCHA solving services, where the price for a thousand solved CAPTCHAs varies between $1 and $2:”
Quote:
http://www.freerepublic.com/focus/f-bloggers/2405787/posts
Celebrity-Themed Scareware Campaign Abusing DocStoc
DANCHO DANCHEV - blog ^ | MONDAY, DECEMBER 07, 2009 | Dancho Danchev
Posted on December 11, 2009 3:32:36 PM PST by Cindy
MONDAY, DECEMBER 07, 2009 Celebrity-Themed Scareware Campaign Abusing DocStoc
UPDATE: Docstoc has removed all the participating accounts in this campaign, and is applying additional filtering to undermine its effectiveness.
Last week’s “Celebrity-Themed Scareware Campaign Abusing DocStoc and Scribd” is now exclusively targeting the popular Docstoc document-sharing service. Naturally, this very latest campaign once again offers overwhelming evidence on the inner workings of the cybercrime ecosystem, in this particular case, the connection between the Koobface gang and money mule recruitment campaigns.
(Excerpt) Read more at ddanchev.blogspot.com ...
Blog:
http://ddanchev.blogspot.com/2009/12/koobface-friendly-riccom-ltd-as29550.html
TUESDAY, DECEMBER 22, 2009
“Koobface-Friendly Riccom LTD - AS29550 - (Finally) Taken Offline”
Posted by Dancho Danchev
SNIPPET: “Last week, Josh Kirkwood, Network Engineer at Blue Square Data Group Services Limited, with whom I’ve been keeping in touch regarding the blackhat SEO activity courtesy of the Koobface gang, and actual Koobface botnet activity that’s been taking place there for months, pinged me with an interesting email - “Riccom are now gone” (AS29550). He also pinged the folks at hpHosts in response to their posts once again emphasizing on the malicious activity taking place there.”
Blog:
http://ddanchev.blogspot.com/2009/12/koobface-gang-wishes-industry-happy.html
SATURDAY, DECEMBER 26, 2009
“The Koobface Gang Wishes the Industry ‘Happy Holidays’”
Posted by Dancho Danchev
blog:
http://ddanchev.blogspot.com/2010/02/diverse-portfolio-of-scarewareblackhat.html
WEDNESDAY, FEBRUARY 03, 2010
“A Diverse Portfolio of Scareware/Blackhat SEO Redirectors Courtesy of the Koobface Gang”
-Posted by Dancho Danchev
SNIPPET: “With scareware/rogueware/fake security software continuing to be the cash-cow choice for the Koobface gang, keeping them on a short leash in order to become the biggest opportunity cost for the gang’s business model is crucial.
The following are currently active blackhat SEO redirectors/Koobface-infected hosts redirectors and actual scareware domains courtesy of the gang.”
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/02/01/BUJB1BR33G.DTL
“Hackers turn to social media to attack companies”
Alejandro Martínez-Cabrera, Chronicle Staff Writer
Tuesday, February 2, 2010
SNIPPET: “Social media is increasingly becoming fertile ground for hackers to attack companies with spam and malware, according to a report released Monday by a security firm.”
SNIPPET: “Worm evolves
The troublesome Koobface worm also continued to evolve in sophistication. In 2009, the worm became capable of automatically registering a Facebook account, befriending strangers and posting malicious content on the walls of potential victims, the report said.”
blog:
http://ddanchev.blogspot.com/2010/03/koobface-redirectors-and-scareware.html
MONDAY, MARCH 15, 2010
“Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova”
Posted by Dancho Danchev
SNIPPET: “Just how greedy has the Koobface gang become these days? Very greedy.
In fact, their currently active scareware campaigns operate with a changed directory structure that speaks for itself - scareware-domain/fee1/index.php?GREED==random_characters. Let’s dissect the scareware monetization vector, expose the entire typosquatted domains portfolio, and offer a historical OSINT perspective on their activities during February, 2010.
The domain portfolios are in a process of getting suspended”
blog:
http://ddanchev.blogspot.com/2010/04/dissecting-koobface-gangs-latest.html
TUESDAY, APRIL 27, 2010
“Dissecting Koobface Gang’s Latest Facebook Spreading Campaign”
Posted by Dancho Danchev
http://ddanchev.blogspot.com/2010/05/from-koobface-gang-with-scareware.html
SATURDAY, MAY 08, 2010
“From the Koobface Gang with Scareware Serving Compromised Sites”
Posted by Dancho Danchev
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.