This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Koobface is Still Out There- Here's How to Detect It

RSAAdmin
Beginner
Beginner
‎2014-01-07 09:32 AM

Koobface is an older worm that relies on Facebook likes to spread.  It takes advantage of compromised webservers to host malicious scripts.  In most instances, Koobface gets downloaded from a webserver from a "/.sys/" subdirectory.  But other variants utilize a randomized directory structure on the compromised server to retrieve the malware.   Normally, this would make it a bit of a challenge to detect, but there seems to be two common hard-coded User-Agent strings that should be easy to detect in an Enterprise.


We noticed a recent variant (Jan 2, 2014) in our sandbox that is clearly detected as Koobface at VirusTotal here.

 

First, lets see what a bunch of Koobface infections look like in SecurityAnalytics:

 

koob1.JPG.jpg

As you can see, most connections are a put to the /.sys/ directory with no filename.  Those would be pretty easy to detect with a custom rule, but what about all of the dynamically generated directories?  You could use a Regular Expression rule but even that structure is not regular enough to easily detect the traffic.

 

There are specific query strings that follow a pattern as well.  They typically look like this:

 

querykoob.JPG.jpg

You can see that they all begin with the phrase "action="

 

So a rule to detect most of this traffic would be:

directory='/.sys/' && query begins 'action='

 

And while that would detect 95% of the traffic, what about the remainder?

 

As it turns out, there are two very distinct User-Agent strings observed to be engaging in Koobface beaconing.  The first is a Russian Language encoded browser running a 2005 build of Firefox.  The "ru;" in the string denotes the russian language.  That string is:

mozilla/5.01 (windows; u; windows nt 5.2; ru; rv:1.9.0.1) gecko/20050104 firefox/3.0.2

 

The second one is even odder.  It is a User-Agent string that is tied to the Nauru language.  Naulu is a tiny island in Micronesia with less that 20,000 residents.  Chances are that no one should ever encounter a browser encoded in this language.  That UAstring is:

mozilla/4.0 (compatible; msie 7.0; na; )

 

So the best way to detect Koobface, based on my observations, is to use a combination rule that would be:

directory='/.sys/' && query begins 'action=' || client='mozilla/5.01 (windows; u; windows nt 5.2; ru; rv:1.9.0.1) gecko/20050104 firefox/3.0.2','mozilla/4.0 (compatible; msie 7.0; na; )'

Set the rule to alert in your alert field, risk.warning or your own custom alert key.

 

Good luck and Happy Hunting!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.