1. 2010.11.22 資安新聞簡報 報告者：劉旭哲、曾家雄

2. Spam down, but malware up 報告者：劉旭哲

3.  Nov 17  McAfee Threats Report: Third Quarter 2010  Spam is declined, but malware is increasing.

4.  Spam is still high  It continued its overall decline from January, both globally and nationally.  But identity theft, phishing attacks, and malicious links remain as serious as ever.  eg: US

5.  Malware continues to be the biggest threat.  This year they have identified more than 14 million unique pieces of malware.  Over one million more malware than at the same time last year.  Increase has slowed, but the growth continues.

7.  A mix of many established standards.  Mainly in the form of password-stealing Trojans, AutoRun malware, and fake AV software.  For example ： Zeus, Koobface

8.  Cybercriminals are becoming more smart  Attacks are becoming increasingly more severe  Focus on mobile devices and social-networking sites. Conclusion

9.  http://news.cnet.com/8301-1009_3-20023067- 83.html?tag=mncol;title http://news.cnet.com/8301-1009_3-20023067- 83.html?tag=mncol;title  http://www.mcafee.com/us/local_content/reports/q32 010_threats_report_en.pdf http://www.mcafee.com/us/local_content/reports/q32 010_threats_report_en.pdf reference

10. 兆

11. Delivery Status Notification

12. Koobface: Inside a Crimeware Network November 12, 2010 By NART VILLENEUVE

13.  From April to November 2010 the Information Warfare Monitor investigated the operations and monetization strategies of the Koobface botnet A New Botnet

14.  Koobface maintains a system that uses social networking platforms to send malicious links such as:  Bebo, Facebook, Friendster, Fubar,  Hi5, MySpace, Netlog, Tagged, Twitter......etc.  Koobface also leverages connections to other malware groups associated with Bredolab, Gumblar, Meredrop, and Piptea Koobface

15.  The Koobface operators also employ counter- measures against security efforts to counter their operations  The “banlist” of Internet protocol  Koobface operators carefully monitor whether any of their URLs have been flagged as malicious one by Facebook, or Google Koobface

16.  Koobface spreads by using credentials on compromised computers to login to the victim’s account  It sends messages that contain links to malware to friends that are linked to the account Propagation

18.  The malicious link is often concealed using the URL shortening service  It redirects victim to a malicious Web page that encourages the user to run the accompanying executable  These malicious pages purport to be YouTube pages that require a new codec or an Adobe Flash upgrade in order to view the video Propagation

20.  Koobface maintains an infrastructure that integrates command and control capabilities  Zombie proxies obscure the location of C&C Infrastructure

21.  Koobface’s main command and control server is hosted on 85.13.206.115 (Coreix, GB)  It maintains a database that contains information on the infrastructure of the Koobface botnet  The compromised hosts that have been turned into relays  And used by the operators to proxy requests Command and Control

22.  Koobface maintains a number of fraudulent accounts with third party services  Koobface also appears to use compromised computers to host landing pages Command and Control

23.  The Koobface malware has a modular structure that allows the botnet operators to install additional components on compromised computers based on specific criteria  The compromised computer connects to one of Koobface’s relay Web servers, which act as proxies of C&C Command and Control

24.  The malware on the compromised host requests URLs that contain parameters  fbgen  ldgen  ppgen  CAPTCHA Command and Control

25.  This file determines the contents of the message and the Koobface URL to send to the Facebook friends associated with Facebook accounts found on the compromised computer fbgen

26.  This file determines what further binaries the compromised host will download from the command and control server  IP address in a range ldgen

27.  These URLs point to rogue security software affiliates on Google searches for keywords such as  Antivirus  best+spyware+remover  adware+spyware+removal  It triggers the search hijacker when the user clicks on any of the links returned by Google ppgen

28.  Koobface uses random samplings of real Facebook profile information stolen from compromised accounts to create fictitious accounts  The popup window suggests that the computer will shutdown if the CAPTCHA is not solved CAPTCHA

30.  The operators of the Koobface botnet have a system in place to monitor the operations of the botnet and to ensure that the system continues to maintain the infrastructure that is required to operate it Monitoring & Countermeasures

32.  Koobface carefully monitors its links through the Google Safe Browsing API and checks if any of their URLs have been flagged as malicious by bit.ly or Facebook Monitoring & Countermeasures

34.  Koobface keeps count of successful installations and traffic generated by the botnet Monitoring Installations

36.  When an Internet user visits a Koobface landing page and installs the malware, the malware connects through a relay server to C&C and sends the  Compromised user’s IP address  Geographic location  Unique identifier  Koobface user identifier  Malware identifier  This allows Koobface to keep track of malware installations Monitoring Installations

37.  http://krebsonsecurity.com/2010/11/pursuing- koobface-and-partnerka/ http://krebsonsecurity.com/2010/11/pursuing- koobface-and-partnerka/  http://www.infowar-monitor.net/reports/iwm- koobface.pdf http://www.infowar-monitor.net/reports/iwm- koobface.pdf Reference