Here is some info from a packet capture session on my mothers PC. Do not go to this site, it is part of the koobface worm/botnet and merely here for info to look for on your own network. Funny thing is, this traffic was going in the background on her machine with NO browsers open or running and no programs accessing the internet. I had Wireshark adn TCPView running to keep track of things, and this is only 1 of a bunch of sites the machine was continually accessing in the background. Even after cleaning her machine of all known infections, her machine continued to exhibit this sort of traffic.
Be warned, anything infected with koobface most likely has a lot more than just the koob looking at your files and network. Format and reinstall, but by all means, get disconnected as soon as you see anything like this:
GET /cZo1wSpx8X3Q9ko4Y2xrPTEuNyZiaWQ9N2Y2YzI3NjVkMWIxMTdlYmE5Y2YxN
jRmOTlmNjRhNDI0ZWQ0NDg0NSZhaWQ9MjA3ODcmc2lkPTAmcmQ9MTI3OTY4Mjc3
OA==07x HTTP/1.1
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Host: z0g7ya1i0.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/0.7.62
Date: Fri, 30 Jul 2010 16:06:17 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.2.10-2ubuntu6.4
Content-Length: 312
http://94.228.209.202/CAy2EJUd824QrRc719dd28d2f2272b521fbc72f78842239436h|http://datarecords.com/search.php|3|300
http://94.228.209.202/DKW4eBfE5L3yNHC773c33a5462b3d3106ebcdd7149d6962605A|http://centreparcs.com/search.php|3|300
http://94.228.209.202/oa447lOP6B5xEzO9299a283d0978a6427b3ea57d162eec1616x||3|300
One sneaky thing that I happened to see was that whatever or whoever was taking over her machine, was able to hijack my Teamviewer connection and do a MITM between our Teamviewer session. Initially TCPview showed my IP and my mothers IP in connection. At one point I got disconnected several times, and when I finally got back in, the IP address had changed to an IP address in Germany. I even disconnected and had my mother restart Teamviewer while I was off, and it showed someone else connect again, but they didnt do anything with the session other than I assume just watch what we were doing to monitor the situation. At that point, I had her shut down the machine, and drive it to my place, where I updated a new machine for her and copied over her important docs from the old machine. I haven’t nuked it yet, just in case I want to analyze it further, but it had its hooks in so far, that you couldn’t even google for the phrase “windowsupdate” without it dropping the connection. If I googled for microsoft.com, it worked fine, but as soon as we changed it to “windowsupdate” it would act as if went offline.
This also happened trying to reach the Microsoft update site itself and even when I would do a whois for update.microsoft.com. A whois for microsoft.com worked fine, but if I added a whois for windowsupdate.microsoft.com, the web page would time out. Doing the same tests from my machine worked fine, and I could reach the windows update site just fine, so whatever it was that got its teeth into her box, was one nasty infection, and not work the effort to try and clean it. I think this is probably one of the worst infections I have ever come across, even for a rootkit, it had itself hooked in so deep, there wasn’t any signs of anything other than the redirecting of traffic on her system.
She also doesn’t have a router, so they didnt manage to hijack her DNS that way, so it was done internally to windows somehow. My fear is that they somehow got into her Surfboard Modem through an unpublished flaw, because its know that Motorola Modems can be flashed with custom firmware, how they would do that though, I don’t know. Even manually setting her up with OpenDNS did not seem to stop the hijacking of her traffic. Searches would redirect her, pages she clicked on went somewhere else, all while doing this without any other exe’s showing. They somehow were injected directly into the existing exe’s running like any other normal session. I imagine they may have even used the new lnk vuln, but I wasnt able to find any indication that was how they managed to get in.