Researchers Down Koobface Botnet

Three of the malware's command-and-control servers were taken offline, hindering its click-fraud network.

Mathew Schwartz

November 15, 2010

2 Min Read
Network Computing logo

How Firesheep Can Hijack Web Sessions

How Firesheep Can Hijack Web Sessions

(click image for larger view)
Slideshow: How Firesheep Can Hijack Web Sessions

Researchers at the Information Warfare Monitor project -- a collaboration between Canadian security firm SecDev and the University of Toronto's Citizen Lab -- over the weekend helped take down three of the command-and-control servers, aka motherships, responsible for the Koobface botnet.

The takedown comes on the heels of a report, released Friday by Nart Villeneuve, chief research officer for SecDev, which detailed Koobface's inner workings. Much of the information was gleaned after Villeneuve infiltrated one of the servers communicating the botnet's financial-related information via SMS to four phone numbers in Russia.

Obviously, Villeneuve's research wasn't just academic. According to news reports, Information Warfare Monitor researchers worked with United Kingdom Internet service provider Coreix over the weekend to deactivate three Koobface command-and-control servers.

Koobface uses social networks to send malicious links, ostensibly from someone the recipient knows. "These links redirect users to false YouTube pages that encourage users to download malicious software masquerading as a video codec or a software upgrade," said Villeneuve.

What happens next looks a lot like an advertising affiliate program, except with a criminal component. Based on Villeneuve's research, he found that "through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over U.S. $2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud." Click fraud is the practice of forcing computers to automatically "click" on advertising links to inflate revenue for affiliates serving the ads.

As befits a "pay per click" model, Koobface's minders pay close attention to the status of the malware. "The operators of Koobface are employing technical countermeasures to ensure that the operations of the botnet remain undisrupted," said Villeneuve. "The operators regularly monitor their malicious links to ensure that they have not been flagged as malicious." They also actively block certain IP addresses -- for example, belonging to security researchers or antivirus firms -- from accessing the command-and-control servers.

Villeneueve said he published his Koobface findings in large measure to assist law enforcement agencies in their pursuit of botnets. "An understanding of the inner workings of crimeware networks allows law enforcement to pursue leads and the security community to develop better defenses against malware attacks."

But will the removal of three Koobface motherships have an effect on the botnet's efficacy? Notably, the recent Bredolab botnet takedown appeared to slow, but not eradicate, that botnet.

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights