New KOOBFACE Upgrade Makes It Takedown-Proof
22 July 2009
No Comment
Early this week, the KOOBFACE Command and Control (C&C) servers issued a new command to its downloader component. This new command identifies a list of IP addresses to be used by the downloader component as Web or relay proxies to retrieve subsequent commands and components.
In the old KOOBFACE architecture (see Figure 1), the downloader directly connects to an available C&C to receive commands. However, the new command seen early this week actually changes the KOOBFACE botnet architecture to something more like the diagram in Figure 2.
 |
 |
This new command acts a redundancy layer to the old architecture and probably as a response to KOOBFACE domain takedowns. The upgraded KOOBFACE architecture makes it possible for the KOOBFACE botnet to survive even if all of its C&C domains are shut down given that the list of IP addresses (KOOBFACE zombies) can also host updated KOOBFACE commands and components.
KOOBFACE made waves in social networking sites by using infected users’ profiles to infect other users and therefore propagate. We have chronicled its activities in the following blog posts:
- KOOBFACE Increases Twitter Activity
- New KOOBFACE Component: a DNS Changer
- KOOBFACE Tweets
- KOOBFACE Tries CAPTCHA Breaking
- New Variant of KOOBFACE Worm Spreading on Facebook
- Worms Wriggling Their Way Through Facebook
Post from: TrendLabs | Malware Blog - by Trend Micro
New KOOBFACE Upgrade Makes It Takedown-Proof
Leave your response!
You must be logged in to post a comment.