View Full Version : Koobface Spreads via Torrents

23-08-2011, 04:17 PM
Security researchers have identified a new version of the Koobface worm which uses the global torrent network instead of social networking websites to spread.

Dating back to July 2008, Koobface is one of the oldest and most successful computer worms that are still active to this day. Its original variants targeted MySpace and Facebook, but it later expanded to other social networking websites.

One particularly interesting aspect of Koobface is the determination of its creators and their innovative detection evasion techniques.

Koobface has seen many improvements over the years and is a fairly sophisticated piece of malware that's most likely maintained by more than one developer.

Despite its success, the worm suddenly stopped spreading on Facebook back in February, a decision that baffled security researchers.

In April security experts from FireEye reported that Koobface was still serving as a distribution platform for other malware and that its command and control servers were still operational.

Judging by a new sample found recently by security researchers from Trend Micro, it seems that all these months the worm's creators were working on a new propagation routine.

The new version bundles version 2.2.1 of the uTorrent client which runs hidden in the background to seed trojanized torrents.

These torrents pose as cracked versions of popular applications or games like Silent Scream: The Dancer, Dark Ritual, Celtic Lore: Sidhe Hills, Adobe Lightroom, SystemCare, WinRAR, and others.

The new version also uses encryption to evade antivirus detection. The rogue torrents promoted via public trackers and discoverable through the global torrent network contain multiple components that decrypt each other.

"The shift from concentrating on propagating through social networks to torrent P2P networks may be a result of the efforts by the targeted social networks to prevent the KOOBFACE botnet from abusing their framework," the Trend Micro researchers write.

"Despite this change, users should be aware that the KOOBFACE gang has not stopped in coming up with schemes to infect users’ systems. They are simply looking for other means to do so," they warn.