Web 2.0 Botnet Evolution Jonell Baltazar, A Trend Micro Research

Paper (Retrieved May 2010).

OutlineIntroductionBotnet DevelopmentsKOOBFACE Development TimelineSummary

IntroductionIn the following paper, TrendLabs exposes

the latest developments made to the KOOBFACE botnet in order to keep it running and to secure its transactions from the prying eyes of security researchers and law enforcers alike.

Botnet DevelopmentsSome of these developments are

implemented in order to make analysis and reverse engineering difficult for researchers .

The introduction of a second layer of servers called proxy command-and-control (C&C) servers, essentially making their creation more resilient to C&C takedown.

Recent KOOBFACE botnet architecture development

Botnet DevelopmentsKOOBFACE URLs The sites capable of banning the IP addresses

of users who tried, on more than one occasion, to access them.

Through this, the gang’s members were able to prevent constant monitoring by security researchers using a single IP address.

Each KOOBFACE-controlled URL now has a local copy of banned IP addresses

Spammed URLs They tried to trick users into viewing a bogus

video by accessing the spammed link. The KOOBFACE-spammed URLs have started

coming in different forms. In the past, users only had to click a single link

to end up on a page where the KOOBFACE binary could be downloaded.

The new URLs either use the old template or encoded IP addresses.

Botnet Developments

Old KOOBFACE URL spamming style

KOOBFACE-spammed URL with hex-encoded IP address parts

URL Redirectors In the past, users who clicked KOOBFACE-

spammed URLs went through a few redirections before landing on a fake YouTube or Facebook site with the help of an unobfuscated JavaScript.

Another change the gang has implemented is to obfuscate such scripts using string replacement.

After deobfuscation, the IP addresses that point to fake YouTube pages where KOOBFACE binaries could be downloaded (final landing pages) have been seen to have random ports.

Botnet Developments

Old KOOBFACE redirector script

Obfuscated KOOBFACE redirector script

Deobfuscated KOOBFACE redirector script

Final Landing URLs The more recently discovered final landing

pages (fake YouTube pages) sported URLs with random ports and randomly named subdirectories.

Botnet Developments

Final landing URL that serves a fake YouTube page sporting the new theme

C&C Proxy URLs C&C proxy URLs can be extracted from the

KOOBFACE loader and social networking components.

Old C&C proxy URLs were still being used, the KOOBFACE scripts were installed in the .sys subdirectory.

New C&C proxy URLs have been found with randomly named subdirectories.

Botnet Developments

Old C&C proxy URL format

New proxy C&C URL format that uses randomly named subdirectories instead of just .sys

Proxy C&C CommunicationsThe KOOBFACE gang already encrypts their

C&C communications using the Data Encryption Standard (DES).

The encrypted data is found after the new command #BLUELABEL and can only be decrypted using a key defined by the gang itself.

Botnet Developments

Sample DES-encrypted data and its decrypted form

KOOBFACE Development Timeline

SummaryChanged the manner by which the spammed

URLs were formatted, started using random ports instead of just the usual HTTP port.

Banned IP addresses to prevent frequent access to and monitoring of KOOBFACE-controlled sites.

Began encrypting their C&C communications