Koobface Botnet Revisited
An anagram of Facebook, Koobface has remained one of the successful pieces of malware to target social networks.
First appearing in 2008, Koobface has targeted users of Facebook, MySpace, Hi5, Twitter and other networks. In a new paper, Trend Micro has taken another look at the Koobface botnet (PDF) and some of the changes it has made as it evolved.
Among the major changes to the botnet chronicled by Trend Micro:
1. Using proxy command-and-control (C&C) servers
2. Encrypting the gang members' C&C communications
3. Banning IP addresses from repeatedly accessing KOOBFACE-controlled sites
4. Introducing new binary components
5. Employing several layers of binary protection with the use of more complex packers
"These changes pose a greater challenge to security researchers in reverse-engineering existing Koobface binaries and in monitoring the gang members' C&C communications," blogged Jonell Baltazar, an advanced threats researcher at Trend. "Though the changes the gang has made to their botnet have made it interesting, someone has to put a stop to their malicious schemes and put the perpetrators where they belong--behind bars."
Those interested in the minds behind Koobface can read an interesting list of "10 things you didn't know about the Koobface gang" compiled by ZDNet's Dancho Danchev.