The operators of the Koobface botnet added a mechanism to monitor and drive Internet traffic through various affiliate sites to increase their clickthrough revenue.
The group behind the Koobface
is back, and they are reinventing themselves to take advantage of pay-per-click
advertising, according to Trend Micro.
The Koobface developers
updated their botnet framework with a "sophisticated" traffic-direction
system (TDS) that handles traffic referenced to their affiliate sites, Trend
Micro researchers reported Dec. 19. They've also added components to help
increase the amount of Internet traffic, "which translates to even bigger
profit," Jonell Baltazar, senior threat researcher at Trend Micro, wrote
on the company's Malware Blog.
It appears that the TDS may
also be offered as a service to others, according to Trend Micro.
The TDS reroutes traffic to
advertising sites from which they earn referral money or to several of their
affiliate sites. Websites relying on referrals from advertising and affiliate
sites earn more money when overall Internet traffic to their sites increases,
according to Baltazar.
"TDS creation definitely
provided the Koobface gang a means to more efficiently target celebrity fans,
online daters, casual porn surfers and car enthusiasts," said Baltazar.
The group created and
registered email addresses using Yahoo's free Webmail service, according to
Trend Micro. With these email addresses, they could then generate new accounts
on Google and various social-networking sites, such as Twitter, Tumblr and
Blogger. The domains for the various blogs contained words such as
"news" or "2011 news," and contained blog posts with
pictures of celebrities, weddings, tattoos and cars culled from Google's image
search, according to Trend Micro.
Links to these posts were
shared on various social networks to encourage people to click and view the
fake blog content. TDS tracks the number of visits coming from various links
around the Web and redirects users to other affiliate sites. The botnet makes
money from the clicks victims make while browsing, as well as from the total
traffic generated, according to Baltazar.
The Koobface gang also
actively spread related keywords on the Web to promote the blog posts.
"The Koobface gang is
clearly still up to no good and will most probably continue victimizing
users," Baltazar said.
The group is thought to have
made more than $2 million between June 2009 and June 2010 through pay-per-click
and pay-per-install affiliate programs pushing fake antivirus software onto
unsuspecting users, according to Information
, a joint venture backed by researchers from the SecDev
Group and the Citizen Lab in the Munk School of Global Affairs at the
When unsuspecting users clicked
on a Koobface link, they were redirected to one of the provided advertisement
links instead of their intended destination, IWM researchers wrote in their
whitepaper last fall.
Koobface was first spotted
in December 2008, and has been making the rounds on Facebook, MySpace and
Twitter. As the malware proliferated, the operators of the botnet kept building
new countermeasures to stay a step ahead of security researchers; these
measures included a "banlist" of IP addresses that are forbidden from accessing
Koobface servers and a tool to ensure the most updated versions of the malware
was running. The operators also monitored their links with the Google Safe
Browsing API to check whether the URLs have been flagged as being malicious,
and collected statistics such as the number of malware installations and the
speed and availability of the Web servers hosting their landing pages, IMW found.