Pirates punked as KOOBFACE targets Torrent P2P file sharing

18 Aug 2011

The notorious KOOBFACE botnet, known for maliciously targeting popular social networking sites, is now propagating via a torrent peer-to-peer network through Trojanised shared application files.

Trend Micro has found a “loader” being used by KOOBFACE, which is a component responsible for downloading other components.

Unwitting users looking for pirated copies of popular software such as games, PC utilities or productivity software are in for a surprise, as these Trojanised software torrents are found on popular torrent sites. The following is a partial list of the observed torrent file names that have been Trojanised by KOOBFACE:

·         65_Silent_Scream_The_Dancer.torrent

·         67_Dark_Ritual.torrent

·         68_Celtic_Lore_Sidhe_Hills.torrent

·         69_Lightroom.torrent

·         71_SystemCare.torrent

·         WinrRAR_4_Beta_7.torrent

·         72_Voodoo_Whisperer.torrent

·         73_Allore_And_The_Broken_Portal.torrent

·         74_Secret_of_Hildegards.torrent

·         75_Mystery_Chronicles.torrent

·         76_Magical_Mysteries.torrent

Software pirates get punked

According to Trend Micro, the loader arrives on the victim’s computer either by downloading Trojanised torrent files, or through a new component of KOOBFACE named “tor2.exe”, which is detected as WORM_KOOBFACE.AV.

WORM_KOOBFACE.AV, upon execution, connects to the C&C domain to request a torrent file. Once received, it executes a torrent client, which is found in the resource section of the binary, onto the affected system. This torrent client, a 2.2.1 version of uTorrent, is executed such that it is not visible to the user and runs as a background process.

The torrent client is used to download the files referenced by the previously downloaded torrent file from the C&C. A sample of the downloaded torrent file references four files, which is supposedly an Adobe Lightroom installer package:

These files serve different functions:

  • setup.exe decrypts and executes setup3.cab then executes setup2.cab.
  • setup1.cab acts as the downloader of the other component binaries.
  • setup2.cab is the actual Adobe Lightroom installer.
  • setup3.cab decrypts and executes setup1.cab.

The files setup.exe, setup1.cab, and setup3.cab are all also detected as WORM_KOOBFACE.AV.

Infected systems running WORM_KOOBFACE.AV are running a hidden torrent client process, making the system a “peer” that seeds or hosts the malicious binaries.

The more seeders there are for a specific torrent file, the more likely it is for other users to download them since they promise faster download speeds.

“The shift from concentrating on propagating through social networks to torrent P2P networks may be a result of the efforts by the targeted social networks to prevent the KOOBFACE botnet from abusing their framework,” Jonell Baltazar, a senior threat researcher at Trend Micro, wrote in the company’s blog.

“Despite this change, users should be aware that the KOOBFACE gang has not stopped in coming up with schemes to infect users’ systems. They are simply looking for other means to do so,” Baltazar said.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years