News

11:29 AM
Connect Directly
RSS
E-Mail
50%
50%

Researchers Down Koobface Botnet

Three of the malware's command-and-control servers were taken offline, hindering its click-fraud network.

How Firesheep Can Hijack Web Sessions
(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions

Researchers at the Information Warfare Monitor project -- a collaboration between Canadian security firm SecDev and the University of Toronto's Citizen Lab -- over the weekend helped take down three of the command-and-control servers, aka motherships, responsible for the Koobface botnet.

The takedown comes on the heels of a report, released Friday by Nart Villeneuve, chief research officer for SecDev, which detailed Koobface's inner workings. Much of the information was gleaned after Villeneuve infiltrated one of the servers communicating the botnet's financial-related information via SMS to four phone numbers in Russia.

Obviously, Villeneuve's research wasn't just academic. According to news reports, Information Warfare Monitor researchers worked with United Kingdom Internet service provider Coreix over the weekend to deactivate three Koobface command-and-control servers.

Koobface uses social networks to send malicious links, ostensibly from someone the recipient knows. "These links redirect users to false YouTube pages that encourage users to download malicious software masquerading as a video codec or a software upgrade," said Villeneuve.

What happens next looks a lot like an advertising affiliate program, except with a criminal component. Based on Villeneuve's research, he found that "through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over U.S. $2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud." Click fraud is the practice of forcing computers to automatically "click" on advertising links to inflate revenue for affiliates serving the ads.

As befits a "pay per click" model, Koobface's minders pay close attention to the status of the malware. "The operators of Koobface are employing technical countermeasures to ensure that the operations of the botnet remain undisrupted," said Villeneuve. "The operators regularly monitor their malicious links to ensure that they have not been flagged as malicious." They also actively block certain IP addresses -- for example, belonging to security researchers or antivirus firms -- from accessing the command-and-control servers.

Villeneueve said he published his Koobface findings in large measure to assist law enforcement agencies in their pursuit of botnets. "An understanding of the inner workings of crimeware networks allows law enforcement to pursue leads and the security community to develop better defenses against malware attacks."

But will the removal of three Koobface motherships have an effect on the botnet's efficacy? Notably, the recent Bredolab botnet takedown appeared to slow, but not eradicate, that botnet.

Comment  | 
Print  | 
More Insights
Slideshows
Cartoon
Audio Interviews
Archived Audio Interviews
Jeremy Schulman, founder of Schprockits, a network automation startup operating in stealth mode, joins us to explore whether networking professionals all need to learn programming in order to remain employed.
White Papers
Register for Network Computing Newsletters
Current Issue
Research: 2014 State of the Data Center
Research: 2014 State of the Data Center
Our latest survey shows growing demand, fixed budgets, and good reason why resellers and vendors must fight to remain relevant. One thing's for sure: The data center is poised for a wild ride, and no one wants to be left behind.
Video
Twitter Feed