The KOOBFACE botnet became known for using popular social networking sites as a propagation vector and abusing these platforms for malicious purposes. Trend Micro Labs recently observed that KOOBFACE no longer actively propagates via social networks but rather does so via a torrent P2P network through sharing Trojanized application files.
While conducting research, Trend Micro Labs found a “loader” that KOOBFACE uses. This component is responsible for downloading the botnet’s other components and arrives on victims’ systems either via the download of Trojanized torrent files or via a new KOOBFACE component called tor2.exe
WORM_KOOBFACE.AV, upon execution, accesses a C&C domain to request for a torrent file. Once received, it executes a torrent client, which is found in the resource section of the binary. This torrent client, a version 2.2.1 of uTorrent, is executed without the users’ knowledge and runs as a background process.
The torrent client downloads the files referenced by the previously downloaded torrent file from the C&C. A sample of the downloaded torrent file references four files that supposedly comprise an Adobe Lightroom installer package:
Read more
