Christmas themed Koobface breaks CAPTCHAs (Dec 11, 2009)


A new variant of Koobface worm was found in the wild. This time around the fake video poses as a message from Santa.

Koobface is a worm that shows up in fake messages from “friends” that encourage users to click on a malicious link that can steal user ID and password information, and be used to spread the worm. Koobface is constantly changing to avoid detection, or as we call it ‘highly polymorphic,’ with over 20,000 variations to date. We have previously SonicAlerted on it here.

It searches Internet Explorer’s cache of cookies, looking for any relating to the following social networking websites:


There are major enhancements in this new variant of Koobface:

  1. It is able to break CAPTCHAs to register new google blogger accounts and send facebook messages. The CAPTCHA trick appears as a Windows warning that the system will be shut down unless they enter the CAPTCHA code displayed. If the shutdown timer hits zero, the system is locked until the code is entered. Once entered, the code is sent to a server where the information is later used for account creation.

  2. It has 3 stages of redirection – links in facebook messages go to or blogspot URLs, which in turn forward to a hijacked pages with JavaScript, which will finally forward to the Koobface webserver pages (fake video social engineering).

  3. In the spam subjects and messages, it uses a clever trick to double some random letters to avoid signature detection but preserve readability.

     #BLACKLABEL FBTARGETPERPOST|20 TEXT_S|You mmust see thiss videoo now!! It''s the bbest one!! MD5|1822ec77fe9039ac2091299df8582c0f TEXT_S|You mmust see thiss vvideo noow! It''s the besst oone! MD5|7554b2b9e71763bc3ea9fb4cfad03594 

  4. It registers new Google blogger accounts and creates blog posts using top news headlines from Google News. It also creates new Google Reader pages to spread itself.

  5. The infected machine doesn't contact the C&C server directly but instead uses other infected nodes as redirectors/proxies which will forward the request from the infected client to the real Command&Control server (C&C).

SonicWALL Gateway AntiVirus provides protection against this malware via signatures in the following table.
The Koobface worm consists of these modules:

Filename Description Sonicwall GAV signature
v2webserver.exe Koobface webserver GAV: Koobface.CSI (Trojan)
v2captcha.exe CAPTCHA breaker GAV: Koobface.DR (Worm)
v2googlecheck.exe checks Facebook for blocked URLs GAV: Small.ANLX (Trojan)
v2prx.exe Proxy and DNS Blocker GAV: Koobface.gen_2 (Trojan)
v2newblogger.exe Makes Blogspot accounts GAV: Vilsel.MBS (Trojan)
v2reader.exe Makes Google Reader pages GAV: Koobface.NCI_2 (Worm)
ff2ie.exe Cookie Converter GAV: Koobface.BSE (Worm)
ld15.exe Koobface loader GAV: Koobface.ATJ (Worm)
fb75.exe Facebook propagation GAV: Koobface.CMN (Trojan)
pp.12.exe Popup ads and FAKEAV installer GAV: Koobface.CSK (Worm)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.