Thursday, October 22, 2009

Koobface New Campaign

A friend of mine just got hit with what it seems to be new koobface campaign; hundreds of posts from his account to his friend's walls with the following message samples:

You musst see tthis vvideo nnow! It'ss the bbest one!!
You mmust see tthis viideo now!! It'ss the bestt onne!
You mustt see thhis vvideo now!! It''s the bbest one!!


and

I ccan't falll assleep affter viiewing tthis videoo. I havven't seenn annything likee thiis
I can'tt falll asleepp afterr viewiing thiis videeo. I hhaven't sseen anythinng liike tthis
I ccan't faall aasleep aftter vviewing thhis videoo. I hhaven't seenn annything likee thiis



It is using a slightly different subject every post.

The links in the posts are pointing to compromised hosts, the list is below:


http://www.mdl-job.com/243
http://attheshorerealty.com/779/
http://t4lshotgun.com/278/
http://msstory.2us.co.il/889/
http://www.ctambulancebilling.com/311/
http://dev.top4life.com/880/
http://sereshgi.com/328/
http://www.hookedonthewharf.com/397/
http://HillCountryHeritage.com/592/
http://kul-alnas.com/848/
http://george-o-malley-grey-s-anatomy.comxa.com/192/
http://shamshotels.com/932/index.php
http://south-beach-bistro.com/289/
http://moltaqana.com/641/
http://marahebcars.com/709/
http://www.ctambulancebilling.com/311/
http://drive.dubaigatehost.com/594/
http://officeimmobilier.com/615/
http://rcsonline.com/681/
http://bchampion.com/577/
http://christine-paolilla.hostzi.com/583/
http://jalawicenter.com/567/
http://myms.wek.co.il/509/
http://saraenterprises.com/714/
http://tahanialkhaleej.com/526/
http://www.aliano.mobi/154/
http://gboahomes.com/406/
http://osenf.com/247/


The above sites are using different languages, some using php, or vBulletin.


The urls from Dubai are all developed by a single company (www.dubaigateweb.com), seems like they are compromised somehow...

The above sites are used for re-direction, sample re-directions from JS file is below:


http://66.199.114.246/go.js?0x3E8/view/console=yes/

http://98.200.147.100/go.js?0x3E8/view/console=yes/

http://68.205.233.173/go.js?0x3E8/view/console=yes/

http://173.35.77.135/go.js?0x3E8/view/console=yes/

http://88.203.98.96/go.js?0x3E8/view/console=yes/

http://24.2.19.73/go.js?0x3E8/view/console=yes/

http://99.135.196.172/go.js?0x3E8/view/console=yes/

http://98.194.129.106/go.js?0x3E8/view/console=yes/

http://76.168.177.248/go.js?0x3E8/view/console=yes/

http://98.235.12.107/go.js?0x3E8/view/console=yes/

http://93.173.18.52/go.js?0x3E8/view/console=yes/

http://99.164.38.181/go.js?0x3E8/view/console=yes/

http://82.226.229.170/go.js?0x3E8/view/console=yes/

http://24.152.164.90/go.js?0x3E8/view/console=yes/

http://96.28.170.78/go.js?0x3E8/view/console=yes/

http://72.224.239.216/go.js?0x3E8/view/console=yes/

http://68.146.79.57/go.js?0x3E8/view/console=yes/


http://123.202.3.107/go.js?0x3E8/view/console=yes/


http://75.85.89.242/go.js?0x3E8/view/console=yes/


http://66.72.174.146/go.js?0x3E8/view/console=yes/


http://85.102.4.145/go.js?0x3E8/view/console=yes/


http://66.108.68.36/go.js?0x3E8/view/console=yes/


http://77.125.245.113/go.js?0x3E8/view/console=yes/


http://98.212.38.39/go.js?0x3E8/view/console=yes/


http://84.110.234.54/go.js?0x3E8/view/console=yes/


http://82.158.208.29/go.js?0x3E8/view/console=yes/


http://71.61.33.205/go.js?0x3E8/view/console=yes/


http://83.251.150.59/go.js?0x3E8/view/console=yes/


http://84.229.215.70/go.js?0x3E8/view/console=yes/


http://81.233.153.135/go.js?0x3E8/view/console=yes/


http://70.22.209.112/go.js?0x3E8/view/console=yes/


http://24.52.159.40/go.js?0x3E8/view/console=yes/


http://76.16.155.218/go.js?0x3E8/view/console=yes/


http://99.237.44.207/go.js?0x3E8/view/console=yes/


http://64.150.245.105/go.js?0x3E8/view/console=yes/


http://67.242.155.202/go.js?0x3E8/view/console=yes/


http://77.127.152.181/go.js?0x3E8/view/console=yes/


http://208.126.179.18/go.js?0x3E8/view/console=yes/


http://85.64.40.13/go.js?0x3E8/view/console=yes/


http://99.148.29.132/go.js?0x3E8/view/console=yes/


http://89.139.59.144/go.js?0x3E8/view/console=yes/


http://85.64.23.98/go.js?0x3E8/view/console=yes/


http://71.255.229.171/go.js?0x3E8/view/console=yes/


http://75.66.127.60/go.js?0x3E8/view/console=yes/


http://74.77.103.98/go.js?0x3E8/view/console=yes/


http://93.172.189.248/go.js?0x3E8/view/console=yes/


http://70.121.232.23/go.js?0x3E8/view/console=yes/


http://74.220.9.223/go.js?0x3E8/view/console=yes/


http://24.167.144.143/go.js?0x3E8/view/console=yes/


http://123.203.13.156/go.js?0x3E8/view/console=yes/


I have the rest of JS files, if anyone is interested, just drop me a line on twitter@okamalo
No further investigations for now, it is 3:30AM now, need to sleep....

2 comments:

Anonymous said...

I received the video posting on my wall from a "friend" in Jordan. How does this work, did he actually post it to my wall?

Sammy Launius said...

Thanks for sharing. Hope you've found the material useful. I've got some more ideas in this site. I like Personnel Security