Posted by: kenwbudd | December 2, 2009

YouTube Better Watch out: Koobface Botnet Exploits Social Engineering Sites

The Koobface botnet, one of the most efficient social engineering driven botnets, is entering the Xmas season with a newly introduced template spoofing a YouTube video page, in between enticing the visitor into installing a bogus Adobe Flash Player Update (New Koobface campaign spoofs Adobe’s Flash updater), which remains one of the most popular social engineering tactics used by the botnet masters.

What is the Koobface gang up to? Would they continue sticking to their true nature and rely on social engineering tactics, or would they start using active exploitation tactics such as client-side exploits?

Let’s discuss some of the new developments introduced on the Koobface front over the past week, and try to answer these questions.

Experimenting with client-side exploits – last week, for the first time ever, the Koobface botnet started serving client-side exploits by embedding two iFrames on the hundreds of thousands of Koobface-infected hosts, for a period of several hours.

Despite its reliance on outdated exploits used by the web malware exploitation kit in question, this does not automatically mean that their “infection optimization” strategy would go in vain taking into consideration the fact that a huge percentage of users/enterprises continue failing to properly manage their “software inventory”.

Whether the gang would re-introduce the use of client-side exploits (drive-by download) remains yet to be seen, however, this move directly contradicts with the infection model of the botnet, which so far has been exclusively using social engineering tactics. Read More…….


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: