Feeds

Koobface worm-flinging gangster linked to pharma spam ops

Login-slurping worm band broke up, moved onto 'solo projects' – infosec bod

Choosing a cloud hosting partner with confidence

What do you do after you've made millions through one of the most technically sophisticated strains of malware ever unleashed onto the internet? Make millions pushing penis-enhancing pills, according to more than one security researcher.

The findings suggest at least one of the crooks behind Koobface has branched out to become involved in selling penis pills using junkmail.

Ronald F Guilmette, an independent security researcher who first uncovered the hijacking of machines on Microsoft's corporate network to spamvertise unlicensed Viagra pills back in 2010, has uncovered a strong connection between the same EvaPharmacy group that infected machines in a testing lab at Redmond three years ago and at least one of the people behind the infamous Koobface worm.

"EvaPharmacy is, and has been for many years now, one of the largest if not THE largest spamming enterprise in the known universe, pumping out more spam, month after month, than any other single individual, group, or enterprise on the net," Guilmette told El Reg.

The evidence comes from historic domain registration information that links a Moscow address to both operations and shows an identical phone number linked to the registration of domains linked to Koobface and EvaPharmacy.

Spamtrackers.eu, which has been tracking EvaPharmacy for some time, associates the domain name checkoutpharamcysafe.com with EvaPharmacy. WHOIS records give the owner of checkoutpharamcysafe.com as "Andrey Polev".

A detailed analysis of clues relating to the Koobface worm by security researcher Jago Maniscalchi provides evidence that various domains alleged to have been connected to Koobface were registered by under a variety of similar names: Andrei Polev, Andrej Polev or Aleksandr Polev.

"I suspect that all these are just pseudonyms anyway, so it is probable, I think, that the guy who wrote all these names just didn't bother to be 100 per cent consistent across all his uses of this pseudonym," Guilmette explained.

More critical and more telling, according to Guilmette, is that a contact "phone number" for the allegedly Koobface-related domain name "cheapestpharmacy.at".

The street address and (Russian) zip code listed for both the domain name checkoutpharamcysafe.com (EvaPharmacy) and the domain name cheapestpharmacy.at (Koobface) are also almost identical.

"These matchups, of (a) the registrant name and also (b) the contact phone number and (c) the street address and zip code are _not_ mere coincidences, in my opinion," Guilmette concludes.

"Rather, they appear to point rather unambiguously to a link, at the very least, between the Koobface gang and the EvaPharmacy gang. Maybe Koobface *is* EvaPharmacy and vice-versa. I don't really know."

Let SkLiP the dogs of war

Separately a report by antivirus vendor Trend Micro, titled The Heart of Koobface, shows the same alias or names being used by the registered owner of various Koobface C&C (Command and Control) domains. The details can be found on page 32 of Trend Micro study (PDF).

The name Andrei/Andrej/Alexandr Polev, whether a pseudonym or not, is unambiguously linked to Koobface. It is also linked, again unambiguously, to the EvaPharmacy gang, according to Guilmette.

Other less substantial pieces of evidence further support the theory that Koobface is linked to EvaPharmacy and vice-versa.

One key EvaPharmacy player uses an online moniker "SkLiP" – which is slang, in some parts of the world, for "thief". The Koobface gang apparently identified itself on some occasions as "Ali Baba & 4", a clear reference to Ali Baba and the Forty Thieves.

Guilmette's investigations of the links between Koobface and EvaPharmacy had led him to identify one Moscow-based individual, whose name has been supplied to The Register, as the probable chief exec of EvaPharmacy and someone who was previously tied up with Koobface. This person has not been previously named in connection with Koobface, checks by El Reg suggest.

Face/off

Koobface began targeting surfers on Facebook and other social networks beginning in December 2008, typically encouraging prospective marks to execute malware packages disguised as Flash updates supposedly needed to view lurid or shocking content.

Once executed, the malware turns compromised computers in zombie drones under the control of hackers. The botnet was used to distribute secondary pay-per-install malware on the compromised computers as well as hijack search queries to display advertisements. The botnet was then targeted for takedown, which didn't quite kill it off.

However, things have been very quiet since Facebook, although the social network has since controversially identified five individuals it alleged were involved with Koobface in January 2012. These five people have never been charged.

Koobface was chiefly monetised through click fraud. Guilmette's thesis is that since Koobface went quiet three years ago, at least one of the fraudsters involved has moved on to become making his money through selling Viagra, Cialis and other pharmaceuticals, without prescription, through EvaPharmacy.

It may be that machines compromised using Koobface are been used to spamvertise EvaPharmacy. "Spamming for fake pharmacy domains would be more profitable, to the Koobface gang, than just trying to make money by perpetrating click frond," Guilmette concluded.

Cybercrime researcher Dancho Danchev has also been following the trail of the Koobface gang for years. He reckons Guilmette's theory is along the right lines but needs to be supplemented by evidence from the malware itself, rather than domain name registration information alone.

"I also don't believe in such type of coincidences in our line of work, however, initial attributable 'impressions' must always be cross-checked against multiple infection/propagation indicators of live/historical campaigns, so that a truly realistic picture can emerge," Danchev told El Reg

Although the attention towards the Koobface gang shifted in a post-Koobface botnet security industry, what we shouldn't forget is that once they felt invincible to track/shut down, they experimented through a multi-layered monetisation of hosts, by starting to serve client-side exploits in 2009. What this revealed is also a direct connection with Exmanoize, the author of the Eleonore Exploit Kit, as the initial malicious domains was registered using an email belonging to him, proving that they've been busy socialising with other key market players back then."

Danchev's analysis of the client-side exploits involving Koobface, which mentions Exmanoize, and dating from 2009 can be found here.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Knock Knock tool makes a joke of Mac AV
Yes, we know Macs 'don't get viruses', but when they do this code'll spot 'em
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
BlackEnergy crimeware coursing through US control systems
US CERT says three flavours of control kit are under attack
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.