Thursday, February 25, 2010

A dissection of Koobface

There is a very informative analysis of the social network trojan Koobface at abuse.ch. The analysis details the four stages of the victim infection, which involves malicious shorts links, registering false Blogger accounts and hijacked web sites serving out malicious javascript. At the time of writing (early December last year), there were just over 34,000 malicious blogposts and short URLs, directing victims to over 500 hijacked websites. Ultimately code is downloaded onto the victim machine to make it part of the Koobface command & control infrastructure.

A CAPTCHA breaking infrastructure is used to register new accounts with Blogger, as shown below.

image 

According to the post, the infrastructure is very sophisticated:

  • The time between grabbing a CAPTCHA and breaking it is less than three minutes (most of the time just a few seconds!)
  • Due to the way how Koobface’s infrastructure works, it’s possible to break hundreds of CAPTCHA per minute!
  • In this way it’s possible to register thousands of fake bit.ly/Blogspot accounts per day

The author wonders if the security industry is placing too much faith in CAPTCHAs.

No comments: