As koobface-serving domains are being taken down as early as the good guys discover them, the bad guys are at it and they respond by registering new ones. At the moment, their, C&C server is hosted in China with IP Address 61.235.117.83.
The bad guys are still using a fake facebook website, as well as posing as a fake codec, in order to distribute koobface.
Clicking anywhere on the page, presents us with a file named setup.exe. Here are some of the IPs being used to distribute koobface:
115.130.27.204
123.202.200.84
151.204.31.67
196.206.65.53
221.126.0.105
24.215.207.229
41.238.76.198
61.93.34.23
67.206.253.52
68.47.48.240
69.18.107.115
69.254.215.173
70.122.242.250
70.212.232.126
71.116.37.213
71.130.216.179
71.194.236.32
71.80.105.40
72.13.138.210
72.190.87.208
75.181.171.110
75.251.94.44
76.119.98.22
76.22.160.28
76.23.203.64
81.192.192.160
98.140.58.163
98.244.224.140
98.26.40.38
99.22.74.229The javascript component being by used by koobface, remains bascically the same as before
And as before, koobface is still serving up scareware. From time to time, users are presented with a My Computer online scan, going through these domains:
gotrioscan(dot)com
plazec(dot)infoAt some instances, we also get these warnings:
At the moment, these warnings are serving Internet Antivirus Pro.
Update:
Koobface has been going at it and here's another one that spoofs youtube and serves koobface malware as a fake codec:
hxxp://71.197.170.226/d=www.marcellaburnard.com/0x3E8/view/console=yes/?go
No comments:
Post a Comment