After spreading via social networking site Facebook several months back, the Koobface virus appears to be back, this time spreading via torrent and peer-to-peer file sharing.
Computer security firm Trend Micro said that the virus, which turns computers it infects into a peer-to-peer botnet, now uses Trojanized shared application files.
“Based on our research, we found a ‘loader’ being used by KOOBFACE, which is a component responsible for downloading other components. This loader arrives on the victim’s computer either by downloading Trojanized torrent files, or through a new component of KOOBFACE named ‘tor2.exe,’ which is detected as WORM_KOOBFACE.AV," Trend Micro said in a blog post.
It said a sample downloaded torrent file references four files in a package that claims to install Adobe’s Lightroom software. These include:
Trend Micro, however, detects the files setup.exe, setup1.cab, and setup3.cab as TROJ_MALAGENT.FA, TROJ_DLOADER.SPA, and TROJ_DLOADER.KOO respectively.
“The shift from concentrating on propagating through social networks to torrent P2P network may be a result of the efforts by the targeted social networks to prevent the KOOBFACE botnet from abusing their framework. Despite this change, users should be aware that the KOOBFACE gang has not stopped in coming up with schemes to infect users. They are simply looking for other means to do so," it said.
Koobface operation
Upon execution, Koobface connects to the command-and-control domain to request a torrent file. Once received, it executes a torrent client, which is found in the resource section of the binary, onto the affected system.
The torrent client, a 2.2.1 version of uTorrent, is executed silently as a background process.
According to Trend Micro, the malware can spread more quickly if there are more seeders.
“The more seeders there are for a specific torrent file, the more likely it is for other users to download them, since they promise a faster download," it said.
Likely victims
Likely victims include users looking for pirated copies of popular software such as games, PC utilities, or productivity software, as the Trojanized software torrents are found on popular torrent sites.
Antivirus evasion
The malware’s use of several encrypted component files helps it avoid detection from anti-virus scanners of torrent file servers, Trend Micro said.
“Several component binaries working together to reach a certain goal makes analysis longer and harder. Also, having a copy of just one component binary may cause the analyst to lead to a conclusion that it is not a malware since the analyst needs the other components to see what the real objective the malware is," it said.
Computer security firm Trend Micro said that the virus, which turns computers it infects into a peer-to-peer botnet, now uses Trojanized shared application files.
“Based on our research, we found a ‘loader’ being used by KOOBFACE, which is a component responsible for downloading other components. This loader arrives on the victim’s computer either by downloading Trojanized torrent files, or through a new component of KOOBFACE named ‘tor2.exe,’ which is detected as WORM_KOOBFACE.AV," Trend Micro said in a blog post.
It said a sample downloaded torrent file references four files in a package that claims to install Adobe’s Lightroom software. These include:
- setup.exe, which decrypts and executes setup3.cab, and then executes setup2.cab
- setup1.cab, a downloader of other component binaries
- setup2.cab, the actual installer of Adobe Lightroom software
- setup3.cab, which decrypts and executes setup1.cab
Trend Micro, however, detects the files setup.exe, setup1.cab, and setup3.cab as TROJ_MALAGENT.FA, TROJ_DLOADER.SPA, and TROJ_DLOADER.KOO respectively.
“The shift from concentrating on propagating through social networks to torrent P2P network may be a result of the efforts by the targeted social networks to prevent the KOOBFACE botnet from abusing their framework. Despite this change, users should be aware that the KOOBFACE gang has not stopped in coming up with schemes to infect users. They are simply looking for other means to do so," it said.
Koobface operation
Upon execution, Koobface connects to the command-and-control domain to request a torrent file. Once received, it executes a torrent client, which is found in the resource section of the binary, onto the affected system.
The torrent client, a 2.2.1 version of uTorrent, is executed silently as a background process.
According to Trend Micro, the malware can spread more quickly if there are more seeders.
“The more seeders there are for a specific torrent file, the more likely it is for other users to download them, since they promise a faster download," it said.
Likely victims
Likely victims include users looking for pirated copies of popular software such as games, PC utilities, or productivity software, as the Trojanized software torrents are found on popular torrent sites.
Antivirus evasion
The malware’s use of several encrypted component files helps it avoid detection from anti-virus scanners of torrent file servers, Trend Micro said.
“Several component binaries working together to reach a certain goal makes analysis longer and harder. Also, having a copy of just one component binary may cause the analyst to lead to a conclusion that it is not a malware since the analyst needs the other components to see what the real objective the malware is," it said.
0 comments:
Post a Comment