資安新聞簡報 報告者：劉旭哲、曾家雄

Spam down, but malware up 報告者：劉旭哲

 Nov 17  McAfee Threats Report: Third Quarter 2010  Spam is declined, but malware is increasing.

 Spam is still high  It continued its overall decline from January, both globally and nationally.  But identity theft, phishing attacks, and malicious links remain as serious as ever.  eg: US

 Malware continues to be the biggest threat.  This year they have identified more than 14 million unique pieces of malware.  Over one million more malware than at the same time last year.  Increase has slowed, but the growth continues.

 A mix of many established standards.  Mainly in the form of password-stealing Trojans, AutoRun malware, and fake AV software.  For example ： Zeus, Koobface

 Cybercriminals are becoming more smart  Attacks are becoming increasingly more severe  Focus on mobile devices and social-networking sites. Conclusion

 83.html?tag=mncol;title 83.html?tag=mncol;title  010_threats_report_en.pdf 010_threats_report_en.pdf reference

兆

Delivery Status Notification

Koobface: Inside a Crimeware Network November 12, 2010 By NART VILLENEUVE

 From April to November 2010 the Information Warfare Monitor investigated the operations and monetization strategies of the Koobface botnet A New Botnet

 Koobface maintains a system that uses social networking platforms to send malicious links such as:  Bebo, Facebook, Friendster, Fubar,  Hi5, MySpace, Netlog, Tagged, Twitter......etc.  Koobface also leverages connections to other malware groups associated with Bredolab, Gumblar, Meredrop, and Piptea Koobface

 The Koobface operators also employ counter- measures against security efforts to counter their operations  The “banlist” of Internet protocol  Koobface operators carefully monitor whether any of their URLs have been flagged as malicious one by Facebook, or Google Koobface

 Koobface spreads by using credentials on compromised computers to login to the victim’s account  It sends messages that contain links to malware to friends that are linked to the account Propagation

 The malicious link is often concealed using the URL shortening service  It redirects victim to a malicious Web page that encourages the user to run the accompanying executable  These malicious pages purport to be YouTube pages that require a new codec or an Adobe Flash upgrade in order to view the video Propagation

 Koobface maintains an infrastructure that integrates command and control capabilities  Zombie proxies obscure the location of C&C Infrastructure

 Koobface’s main command and control server is hosted on (Coreix, GB)  It maintains a database that contains information on the infrastructure of the Koobface botnet  The compromised hosts that have been turned into relays  And used by the operators to proxy requests Command and Control

 Koobface maintains a number of fraudulent accounts with third party services  Koobface also appears to use compromised computers to host landing pages Command and Control

 The Koobface malware has a modular structure that allows the botnet operators to install additional components on compromised computers based on specific criteria  The compromised computer connects to one of Koobface’s relay Web servers, which act as proxies of C&C Command and Control

 The malware on the compromised host requests URLs that contain parameters  fbgen  ldgen  ppgen  CAPTCHA Command and Control

 This file determines the contents of the message and the Koobface URL to send to the Facebook friends associated with Facebook accounts found on the compromised computer fbgen

 This file determines what further binaries the compromised host will download from the command and control server  IP address in a range ldgen

 These URLs point to rogue security software affiliates on Google searches for keywords such as  Antivirus  best+spyware+remover  adware+spyware+removal  It triggers the search hijacker when the user clicks on any of the links returned by Google ppgen

 Koobface uses random samplings of real Facebook profile information stolen from compromised accounts to create fictitious accounts  The popup window suggests that the computer will shutdown if the CAPTCHA is not solved CAPTCHA

 The operators of the Koobface botnet have a system in place to monitor the operations of the botnet and to ensure that the system continues to maintain the infrastructure that is required to operate it Monitoring & Countermeasures

 Koobface carefully monitors its links through the Google Safe Browsing API and checks if any of their URLs have been flagged as malicious by bit.ly or Facebook Monitoring & Countermeasures

 Koobface keeps count of successful installations and traffic generated by the botnet Monitoring Installations

 When an Internet user visits a Koobface landing page and installs the malware, the malware connects through a relay server to C&C and sends the  Compromised user’s IP address  Geographic location  Unique identifier  Koobface user identifier  Malware identifier  This allows Koobface to keep track of malware installations Monitoring Installations

 koobface-and-partnerka/ koobface-and-partnerka/  koobface.pdf koobface.pdf Reference