What's Koobface doing at the moment? Is it dead? Well the answer is 'no'. Koobface C&Cs are very much alive. We observed around 153 live C&Cs during last 7 days. It's just that Koobface is no longer using Facebook to spread itself.

Koobface's actual payload has always downloaded different malicious components onto the infected system. This may include its own sub components and/or third party malware as part of a pay per install service. This activity is continuing at the moment without a change. For example as of writing this article, I can see one of the Koobface instances is trying to promote fake pharmaceuticals.  This is accomplished by opening different pop ups on the infected system.

It happens like this:

The C&C will instruct its zombie to open a browser window with a given link.

HTTP/1.1 200 OK
Date: Wed, 06 Apr 2011 22:23:22 GMT
Server: Apache

....

#BLACKLABEL
TASK|http://google.com/search?q=tramadol,800,600,600,http://test.com,0

MD5|5c07e730f5c447f3c8a949f8e03a138c

and

#BLACKLABEL
TASK|http://multi-searcher.com/tramadol/37348/29/01100011/10/tramdol.html,800,600,600,http://test.com,0

MD5|5c07e730f5c447f3c8a949f8e03a138c

So on one hand Koobface will open a Google search result page with 'tramadol' (tramadol is a medicine used to relieve moderate to moderately severe pain.) query in order to enlighten the user about this medicine and right after that a  phishing  page will pop up on user's screen compelling him to buy this medicine with cheap rates.

What are the motivations behind this change? My best guess is that infecting Facebook users was catching too much of the world's attention. This Web 2.0 giant with its security teams was continuously trying to defeat Koobface. This includes proactive actions taken by Facebook such as blocking Koobface malicious URLs, and trying to shutdown the C&Cs behind. By not using Facebook as its primary infection vector, Koobface will make Facebook lose interest in it, one less enemy. I have no doubt that the guys behind Koobface are using other channels to spread their creations like pay per install, exploit kits and most recently torrents.

With this good news comes some bad news. Most recently 'YAHOS' a modified form of an old IRC bot commonly known as SdBot or Reptile added a new module that has started targeting Facebook and Myspace users. YAHOS uses Facebook's IM service to send fake messages to user's friends list and urges them to visit an external web site hosting malicious binaries.

Like:

"hahhahaha foto :D http://cyXXXen.com/facebook/index.php?="

where http://cyXXXen.com/facebook/index.php?= (a fake facebook page) will lure user into downloading a YAHOS executable. Clicking on this executable will make that friend part of the same YAHOS botnet.

Please note here that YAHOS is not a new malware family. I talked about SdBot/Reptile a while back here. In the past it has been seen using MSN and YAHOO messenger for spreading itself. It's just that it recently expanded its infection vector by targeting the world's most popular social networking sites like Facebook.

As is said in Hollywood:

"You don’t get to 500 million friends without making a few enemies".

Good luck Facebook!

Atif Mushtaq 

FireEye Malware Intelligence Lab