RSA Admin

Koobface is Still Out There- Here's How to Detect It

Blog Post created by RSA Admin Employee on Jan 7, 2014

Koobface is an older worm that relies on Facebook likes to spread.  It takes advantage of compromised webservers to host malicious scripts.  In most instances, Koobface gets downloaded from a webserver from a "/.sys/" subdirectory.  But other variants utilize a randomized directory structure on the compromised server to retrieve the malware.   Normally, this would make it a bit of a challenge to detect, but there seems to be two common hard-coded User-Agent strings that should be easy to detect in an Enterprise.

We noticed a recent variant (Jan 2, 2014) in our sandbox that is clearly detected as at VirusTotal here.


First, lets see what a bunch of Koobface infections look like in SecurityAnalytics:



As you can see, most connections are a put to the /.sys/ directory with no filename.  Those would be pretty easy to detect with a custom rule, but what about all of the dynamically generated directories?  You could use a Regular Expression rule but even that structure is not regular enough to easily detect the traffic.


There are specific query strings that follow a pattern as well.  They typically look like this:



You can see that they all begin with the phrase "action="


So a rule to detect most of this traffic would be:

directory='/.sys/' && query begins 'action='


And while that would detect 95% of the traffic, what about the remainder?


As it turns out, there are two very distinct User-Agent strings observed to be engaging in Koobface beaconing.  The first is a Russian Language encoded browser running a 2005 build of Firefox.  The "ru;" in the string denotes the russian language.  That string is:

mozilla/5.01 (windows; u; windows nt 5.2; ru; rv: gecko/20050104 firefox/3.0.2


The second one is even odder.  It is a User-Agent string that is tied to the Nauru language.  Naulu is a tiny island in Micronesia with less that 20,000 residents.  Chances are that no one should ever encounter a browser encoded in this language.  That UAstring is:

mozilla/4.0 (compatible; msie 7.0; na; )


So the best way to detect Koobface, based on my observations, is to use a combination rule that would be:

directory='/.sys/' && query begins 'action=' || client='mozilla/5.01 (windows; u; windows nt 5.2; ru; rv: gecko/20050104 firefox/3.0.2','mozilla/4.0 (compatible; msie 7.0; na; )'


Set the rule to alert in your alert field, risk.warning or your own custom alert key.


Good luck and Happy Hunting!