Koobface, a piece of malware that has wormed its way through Facebook, Twitter and other sites, made its operators more than $2 million between June 2009 and June 2010, according to a new report.
A new report has pulled the veil away from the Koobface botnet,
exposing how the operation made more than $2 million between June
2009 and June 2010.
The money-making schemes of the Koobface gang were revealed in a sweeping paper (PDF)
by Information Warfare Monitor (IWM), a joint venture backed by
researchers from the SecDev Group and the Citizen Lab in the Munk
School of Global Affairs at the University Toronto. The report,
entitled "Koobface: Inside a Crimeware Network," lays out a myriad
of information about both the botnet's infrastructure and how
its operators have turned an army of bots into millions of dollars
"Through the use of pay-per-click and pay-per-install affiliate
programs, Koobface was able to earn over US$2 million between June 2009
and June 2010 by forcing compromised computers to install malicious
software and engage in click fraud," blogged Nart Villeneuve
author of the report and chief research officer at SecDev. "This, of
course, does not occur in a vacuum but within a malware ecosystem that
sustains and monetizes botnet operations."
The data revealed in the report has been turned over to law
enforcement, and the command and control server used to send
instructions to infected machines has reportedly been taken offline
In the paper, Villeneuve wrote that IWM had discovered a URL
path on "a well-known Koobface command and control server" and had been
able to download archived copies of the command and control
infrastructure. From there, they were able to gain information about
the malware, code and database used to maintain Koobface, as well as
the gang's affiliate programs.
"The Koobface operators maintain a server known as the mothership,"
the report states. "The mothership acts as an intermediary between the
PPC (pay-per-click) and rogue security software affiliates and the
compromised victims. This server receives intercepted search queries
from victims' computers and relays this information to Koobface's PPC affiliates
From there, the affiliates provide the advertisement links that are
sent to the user, the report notes. When the user clicks on the
search results, they are sent to one of the provided advertisement
links instead of their intended destination. In addition, Koobface will
receive and display URLs to bogus antivirus software landing pages or
directly push rogue security software binaries to infected computers.
"There were considerable variations in the total amounts earned from
affiliates, although not all affiliates were active over the entire
time span," according to the report. "Overall, Koobface operators
earned roughly the same amount from rogue security software affiliates
as they did from PPC affiliates. However, the income generated from PPC
affiliates was generally stable while the income generated from rogue
security software affiliates was volatile."
Koobface was first spotted in December 2008. Since then, it has been making the rounds on many of the world's most popular social networks
including Facebook (which the malware mimics with its anagram name),
MySpace and Twitter. As the malware proliferated, the operators of the
botnet, identified in the report by the names "Ali Baba" and "40 LLC,"
took to building in countermeasures to stay a step ahead of
the security community, the report notes.
"Koobface has created a 'banlist' of IP
addresses that are forbidden from accessing Koobface servers," the
report notes. "Koobface also monitors their malware links with the
Google Safe Browsing API and checks whether their URLs have been
flagged as malicious by bit.ly or Facebook."
Additionally, Koobface's operators have created pages to monitor
statistics such as the number of malware installations and the
speed and availability of the Web servers that host their landing
pages. Koobface also checks to ensure that the most recent versions of
the malware loader and landing pages are present, and has an interface
to monitor their CAPTCHA-breaking system, according to the paper.
"Botnets require a command and control infrastructure in order to
maintain and manage a network of compromised computers," the report
notes. "Consequently, botnet operators must rent or acquire servers for
this purpose. There are a variety of crime-friendly hosting services
that are known as "bullet proof" hosting because they protect their
clients from abuse complaints and takedown requests."
"For instance, we discovered a file on a Koobface server that
contained details of two complaints made about Koobface's activities,"
the report continues. "It appears that one of Koobface's previous
hosting providers had forwarded complaints from the security community
directly to the operators of Koobface. Koobface appears to rely on at
least one crimeware host known as MiraxNetworks."
There is also evidence of collaboration between the Koobface crew
and other botnet operators. For example, Koobface has been found
spreading in connection with Bredolab,
Piptea and Meredrop, the research notes.
Botnet operators, such as those behind Koobface, do make mistakes
however, Villeneuve blogged, making information sharing and persistent
monitoring an effective way to uncover details of botnet operations.
It is important, Villeneuve blogged, "that the law enforcement
and security community continue to share information and work closely
together. An understanding of the inner workings of crimeware
networks allows law enforcement to pursue leads and the security
community to develop better defenses against malware attacks."