KOOBFACE Gang Now Tracking Visitors

Fake YouTube pages are a distinctive characteristic of the KOOBFACE bot. These pages are used as lure to convince prospective victims to install the “codec” needed to play a video, in this case, supposedly from a “hidden camera.”

These fake YouTube pages at one time included the KOOBFACE gang’s reactions to their list of nefarious activities as released by Dancho Danchev.

A few days ago, these pages started to include a short JavaScript code, which enables the KOOBFACE gang to directly monitor page hits. The tracking code is located at the very bottom of the page, which was pushed way below by a lot of <br> tags.

The tracking code uses a hit counter Web service. According to the information gleaned from the hit count page, the KOOBFACE gang started to use this tracking method beginning July 28, 2010.

Trendlabs Malware Blog

Leave a Reply