According to Webroot, Koobface - an anagram of Facebook - has been seen hijacking legitimate websites for more than a year, using them not only to host malicious payload files, but also to work as proxy command-and-control servers for the botnet.
Andrew Brandt, a senior security researcher with the firm, says that one such hijacked Web domain - migdal.org.il - recently popped up in a number of blog posts and on websites which list the domains used to host malware, as far back as this past May, when the Koobface crew began using a slew of new hijacked servers as distribution points for its malicious files.
"And since the summer, Koobface has been delivering a password stealing trojan among the several payloads it brings down to an infected computer", he said in a security blog posting yesterday evening.
The trojan's name, he says, is migdal.org.il.exe, and the stolen passwords it scrapes from infected computers are sent right back to the migdal.org.il web server, which is physically located at an ISP in the UK.
"Migdal also seems to be - if you can believe the content posted to the web site - a French/Jewish organisation that provides aid and resources to Israeli children and border guards, and whose leadership opposes many of the Israeli concessions that Palestinian negotiators have requested during the long peace process", he noted.
Have the Koobface gang gone political, or are they just capitalising on a convenient situation with an abandoned website, he questioned in his security blog.
After taking a closer look at the 'Migdal' payload Brandt says it looks like a fairly conventional password stealer, in the same vein as SpyEye or Zbot, though it appears to be distinct from either of those more common Trojans.
Webroot, he says, has seen a bunch of these files show up as Koobface payloads in the past two months and all the samples appear to fall in the size range of about 110 to 130 kilobytes big.
Inserting the trojan on to a test system, Brandt reports that the Migdal malware stole some dummy passwords he had entered into FileZilla, an FTP client application.
"Logs from various system monitors indicate the trojan also searched the hard drive for other FTP clients - including Total Commander, TurboFTP and FlashFXP - and scoured the hard drive for Total Commander's wcx_ftp.ini file, which that program uses to store FTP passwords", he said.
"It also retrieved dummy passwords stored in Firefox and Internet Explorer, and searched for (but did not find) the directory for both the standard installation of the Opera and the Opera 9 Beta browsers - something I hadn't yet observed with either SpyEye or Zbot", he added.
The Webroot researcher says that once the passwords were retrieved by the trojan, the malware submitted them to the Migdal server with an HTTP POST, generated a batch file to delete itself, ran the batch file, and was gone.
So, says Brandt, not only have the hackers hijacked the server to distribute additional malware, but they are currently using it as a dead-drop for harvested stolen credentials.
"So the question remains, is the Koobface gang merely taking advantage of a long-abandoned Web server to use it as a repository for stolen credentials, or is it abusing this server in particular to discredit this self-described `militant organisation' that supposedly distributes flak jackets to children who live within missile-strike distance of Palestinian territories?" he said.
"Who knows? It's certainly notable that the Koobface goons deliberately call attention to this particular domain name by naming the Trojan after the domain, but their motives are anyone's guess", he added.