KOOBFACE Propagates via Torrent P2P File Sharing

Jack

Administrator
Thread author
Verified
Staff Member
Well-known
Jan 24, 2011
9,379
The KOOBFACE botnet became known for using popular social networking sites as a propagation vector and abusing these platforms for malicious purposes. Trend Micro Labs recently observed that KOOBFACE no longer actively propagates via social networks but rather does so via a torrent P2P network through sharing Trojanized application files.

While conducting research, Trend Micro Labs found a “loader” that KOOBFACE uses. This component is responsible for downloading the botnet’s other components and arrives on victims’ systems either via the download of Trojanized torrent files or via a new KOOBFACE component called tor2.exe

WORM_KOOBFACE.AV, upon execution, accesses a C&C domain to request for a torrent file. Once received, it executes a torrent client, which is found in the resource section of the binary. This torrent client, a version 2.2.1 of uTorrent, is executed without the users’ knowledge and runs as a background process.

The torrent client downloads the files referenced by the previously downloaded torrent file from the C&C. A sample of the downloaded torrent file references four files that supposedly comprise an Adobe Lightroom installer package:

koobface1.jpg


Read more
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top