Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2014 > January > 07

Koobface is an older worm that relies on Facebook likes to spread.  It takes advantage of compromised webservers to host malicious scripts.  In most instances, Koobface gets downloaded from a webserver from a "/.sys/" subdirectory.  But other variants utilize a randomized directory structure on the compromised server to retrieve the malware.   Normally, this would make it a bit of a challenge to detect, but there seems to be two common hard-coded User-Agent strings that should be easy to detect in an Enterprise.

We noticed a recent variant (Jan 2, 2014) in our sandbox that is clearly detected as at VirusTotal here.


First, lets see what a bunch of Koobface infections look like in SecurityAnalytics:



As you can see, most connections are a put to the /.sys/ directory with no filename.  Those would be pretty easy to detect with a custom rule, but what about all of the dynamically generated directories?  You could use a Regular Expression rule but even that structure is not regular enough to easily detect the traffic.


There are specific query strings that follow a pattern as well.  They typically look like this:



You can see that they all begin with the phrase "action="


So a rule to detect most of this traffic would be:

directory='/.sys/' && query begins 'action='


And while that would detect 95% of the traffic, what about the remainder?


As it turns out, there are two very distinct User-Agent strings observed to be engaging in Koobface beaconing.  The first is a Russian Language encoded browser running a 2005 build of Firefox.  The "ru;" in the string denotes the russian language.  That string is:

mozilla/5.01 (windows; u; windows nt 5.2; ru; rv: gecko/20050104 firefox/3.0.2


The second one is even odder.  It is a User-Agent string that is tied to the Nauru language.  Naulu is a tiny island in Micronesia with less that 20,000 residents.  Chances are that no one should ever encounter a browser encoded in this language.  That UAstring is:

mozilla/4.0 (compatible; msie 7.0; na; )


So the best way to detect Koobface, based on my observations, is to use a combination rule that would be:

directory='/.sys/' && query begins 'action=' || client='mozilla/5.01 (windows; u; windows nt 5.2; ru; rv: gecko/20050104 firefox/3.0.2','mozilla/4.0 (compatible; msie 7.0; na; )'


Set the rule to alert in your alert field, risk.warning or your own custom alert key.


Good luck and Happy Hunting!

Filter Blog

By date: By tag: