Koobface is an older worm that relies on Facebook likes to spread. It takes advantage of compromised webservers to host malicious scripts. In most instances, Koobface gets downloaded from a webserver from a "/.sys/" subdirectory. But other variants utilize a randomized directory structure on the compromised server to retrieve the malware. Normally, this would make it a bit of a challenge to detect, but there seems to be two common hard-coded User-Agent strings that should be easy to detect in an Enterprise.
We noticed a recent variant (Jan 2, 2014) in our sandbox that is clearly detected ashttps://www.virustotal.com/en/file/9c0c55bb2517629524b42b22ce5c7bf878a97a4996ffb45bf9fed9f4f1cdfdcf/analysis/Koobface at VirusTotal here.
First, lets see what a bunch of Koobface infections look like in SecurityAnalytics:
As you can see, most connections are a put to the /.sys/ directory with no filename. Those would be pretty easy to detect with a custom rule, but what about all of the dynamically generated directories? You could use a Regular Expression rule but even that structure is not regular enough to easily detect the traffic.
There are specific query strings that follow a pattern as well. They typically look like this:
You can see that they all begin with the phrase "action="
So a rule to detect most of this traffic would be:
directory='/.sys/' && query begins 'action='
And while that would detect 95% of the traffic, what about the remainder?
As it turns out, there are two very distinct User-Agent strings observed to be engaging in Koobface beaconing. The first is a Russian Language encoded browser running a 2005 build of Firefox. The "ru;" in the string denotes the russian language. That string is:
mozilla/5.01 (windows; u; windows nt 5.2; ru; rv:18.104.22.168) gecko/20050104 firefox/3.0.2
The second one is even odder. It is a User-Agent string that is tied to the Nauru language. Naulu is a tiny island in Micronesia with less that 20,000 residents. Chances are that no one should ever encounter a browser encoded in this language. That UAstring is:
mozilla/4.0 (compatible; msie 7.0; na; )
So the best way to detect Koobface, based on my observations, is to use a combination rule that would be:
directory='/.sys/' && query begins 'action=' || client='mozilla/5.01 (windows; u; windows nt 5.2; ru; rv:22.214.171.124) gecko/20050104 firefox/3.0.2','mozilla/4.0 (compatible; msie 7.0; na; )'
Set the rule to alert in your alert field, risk.warning or your own custom alert key.
Good luck and Happy Hunting!