Skip navigation
All Places > Products > RSA NetWitness Platform > Blog > 2014 > January > 07

Koobface is an older worm that relies on Facebook likes to spread.  It takes advantage of compromised webservers to host malicious scripts.  In most instances, Koobface gets downloaded from a webserver from a "/.sys/" subdirectory.  But other variants utilize a randomized directory structure on the compromised server to retrieve the malware.   Normally, this would make it a bit of a challenge to detect, but there seems to be two common hard-coded User-Agent strings that should be easy to detect in an Enterprise.


We noticed a recent variant (Jan 2, 2014) in our sandbox that is clearly detected ashttps://www.virustotal.com/en/file/9c0c55bb2517629524b42b22ce5c7bf878a97a4996ffb45bf9fed9f4f1cdfdcf/analysis/Koobface at VirusTotal here.

 

First, lets see what a bunch of Koobface infections look like in SecurityAnalytics:

 

75514

As you can see, most connections are a put to the /.sys/ directory with no filename.  Those would be pretty easy to detect with a custom rule, but what about all of the dynamically generated directories?  You could use a Regular Expression rule but even that structure is not regular enough to easily detect the traffic.

 

There are specific query strings that follow a pattern as well.  They typically look like this:

 

75515

You can see that they all begin with the phrase "action="

 

So a rule to detect most of this traffic would be:

directory='/.sys/' && query begins 'action='

 

And while that would detect 95% of the traffic, what about the remainder?

 

As it turns out, there are two very distinct User-Agent strings observed to be engaging in Koobface beaconing.  The first is a Russian Language encoded browser running a 2005 build of Firefox.  The "ru;" in the string denotes the russian language.  That string is:

mozilla/5.01 (windows; u; windows nt 5.2; ru; rv:1.9.0.1) gecko/20050104 firefox/3.0.2

 

The second one is even odder.  It is a User-Agent string that is tied to the Nauru language.  Naulu is a tiny island in Micronesia with less that 20,000 residents.  Chances are that no one should ever encounter a browser encoded in this language.  That UAstring is:

mozilla/4.0 (compatible; msie 7.0; na; )

 

So the best way to detect Koobface, based on my observations, is to use a combination rule that would be:

directory='/.sys/' && query begins 'action=' || client='mozilla/5.01 (windows; u; windows nt 5.2; ru; rv:1.9.0.1) gecko/20050104 firefox/3.0.2','mozilla/4.0 (compatible; msie 7.0; na; )'

 

Set the rule to alert in your alert field, risk.warning or your own custom alert key.

 

Good luck and Happy Hunting!

Filter Blog

By date: By tag: