Koobface worm-flinging gangster linked to pharma spam ops

What do you do after you've made millions through one of the most technically sophisticated strains of malware ever unleashed onto the internet? Make millions pushing penis-enhancing pills, according to more than one security researcher.

The findings suggest at least one of the crooks behind Koobface has branched out to become involved in selling penis pills using junkmail.

Ronald F Guilmette, an independent security researcher who first uncovered the hijacking of machines on Microsoft's corporate network to spamvertise unlicensed Viagra pills back in 2010, has uncovered a strong connection between the same EvaPharmacy group that infected machines in a testing lab at Redmond three years ago and at least one of the people behind the infamous Koobface worm.

"EvaPharmacy is, and has been for many years now, one of the largest if not THE largest spamming enterprise in the known universe, pumping out more spam, month after month, than any other single individual, group, or enterprise on the net," Guilmette told El Reg.

The evidence comes from historic domain registration information that links a Moscow address to both operations and shows an identical phone number linked to the registration of domains linked to Koobface and EvaPharmacy.

Spamtrackers.eu, which has been tracking EvaPharmacy for some time, associates the domain name checkoutpharamcysafe.com with EvaPharmacy. WHOIS records give the owner of checkoutpharamcysafe.com as "Andrey Polev".

A detailed analysis of clues relating to the Koobface worm by security researcher Jago Maniscalchi provides evidence that various domains alleged to have been connected to Koobface were registered by under a variety of similar names: Andrei Polev, Andrej Polev or Aleksandr Polev.

"I suspect that all these are just pseudonyms anyway, so it is probable, I think, that the guy who wrote all these names just didn't bother to be 100 per cent consistent across all his uses of this pseudonym," Guilmette explained.

More critical and more telling, according to Guilmette, is that a contact "phone number" for the allegedly Koobface-related domain name "cheapestpharmacy.at".

The street address and (Russian) zip code listed for both the domain name checkoutpharamcysafe.com (EvaPharmacy) and the domain name cheapestpharmacy.at (Koobface) are also almost identical.

"These matchups, of (a) the registrant name and also (b) the contact phone number and (c) the street address and zip code are _not_ mere coincidences, in my opinion," Guilmette concludes.

"Rather, they appear to point rather unambiguously to a link, at the very least, between the Koobface gang and the EvaPharmacy gang. Maybe Koobface *is* EvaPharmacy and vice-versa. I don't really know."

Let SkLiP the dogs of war

Separately a report by antivirus vendor Trend Micro, titled The Heart of Koobface, shows the same alias or names being used by the registered owner of various Koobface C&C (Command and Control) domains. The details can be found on page 32 of Trend Micro study (PDF).

The name Andrei/Andrej/Alexandr Polev, whether a pseudonym or not, is unambiguously linked to Koobface. It is also linked, again unambiguously, to the EvaPharmacy gang, according to Guilmette.

Other less substantial pieces of evidence further support the theory that Koobface is linked to EvaPharmacy and vice-versa.

One key EvaPharmacy player uses an online moniker "SkLiP" – which is slang, in some parts of the world, for "thief". The Koobface gang apparently identified itself on some occasions as "Ali Baba & 4", a clear reference to Ali Baba and the Forty Thieves.

Guilmette's investigations of the links between Koobface and EvaPharmacy had led him to identify one Moscow-based individual, whose name has been supplied to The Register, as the probable chief exec of EvaPharmacy and someone who was previously tied up with Koobface. This person has not been previously named in connection with Koobface, checks by El Reg suggest.

Face/off

Koobface began targeting surfers on Facebook and other social networks beginning in December 2008, typically encouraging prospective marks to execute malware packages disguised as Flash updates supposedly needed to view lurid or shocking content.

Once executed, the malware turns compromised computers in zombie drones under the control of hackers. The botnet was used to distribute secondary pay-per-install malware on the compromised computers as well as hijack search queries to display advertisements. The botnet was then targeted for takedown, which didn't quite kill it off.

However, things have been very quiet since Facebook, although the social network has since controversially identified five individuals it alleged were involved with Koobface in January 2012. These five people have never been charged.

Koobface was chiefly monetised through click fraud. Guilmette's thesis is that since Koobface went quiet three years ago, at least one of the fraudsters involved has moved on to become making his money through selling Viagra, Cialis and other pharmaceuticals, without prescription, through EvaPharmacy.

It may be that machines compromised using Koobface are been used to spamvertise EvaPharmacy. "Spamming for fake pharmacy domains would be more profitable, to the Koobface gang, than just trying to make money by perpetrating click frond," Guilmette concluded.

Cybercrime researcher Dancho Danchev has also been following the trail of the Koobface gang for years. He reckons Guilmette's theory is along the right lines but needs to be supplemented by evidence from the malware itself, rather than domain name registration information alone.

"I also don't believe in such type of coincidences in our line of work, however, initial attributable 'impressions' must always be cross-checked against multiple infection/propagation indicators of live/historical campaigns, so that a truly realistic picture can emerge," Danchev told El Reg

Although the attention towards the Koobface gang shifted in a post-Koobface botnet security industry, what we shouldn't forget is that once they felt invincible to track/shut down, they experimented through a multi-layered monetisation of hosts, by starting to serve client-side exploits in 2009. What this revealed is also a direct connection with Exmanoize, the author of the Eleonore Exploit Kit, as the initial malicious domains was registered using an email belonging to him, proving that they've been busy socialising with other key market players back then."

Danchev's analysis of the client-side exploits involving Koobface, which mentions Exmanoize, and dating from 2009 can be found here.