How the Koobface Botnet Made $2 Million in a Year

Koobface, a piece of malware that has wormed its way through Facebook, Twitter and other sites, made its operators more than $2 million between June 2009 and June 2010, according to a new report.

A new report has pulled the veil away from the Koobface botnet, exposing how the operation made more than $2 million between June 2009 and June 2010.

The money-making schemes of the Koobface gang were revealed in a sweeping paper (PDF) released by Information Warfare Monitor (IWM), a joint venture backed by researchers from the SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the University Toronto. The report, entitled "Koobface: Inside a Crimeware Network," lays out a myriad of information about both the botnet's infrastructure and how its operators have turned an army of bots into millions of dollars.

"Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud," blogged Nart Villeneuve, author of the report and chief research officer at SecDev. "This, of course, does not occur in a vacuum but within a malware ecosystem that sustains and monetizes botnet operations."

The data revealed in the report has been turned over to law enforcement, and the command and control server used to send instructions to infected machines has reportedly been taken offline.

In the paper, Villeneuve wrote that IWM had discovered a URL path on "a well-known Koobface command and control server" and had been able to download archived copies of the command and control infrastructure. From there, they were able to gain information about the malware, code and database used to maintain Koobface, as well as the gang's affiliate programs.

"The Koobface operators maintain a server known as the mothership," the report states. "The mothership acts as an intermediary between the PPC (pay-per-click) and rogue security software affiliates and the compromised victims. This server receives intercepted search queries from victims' computers and relays this information to Koobface's PPC affiliates."

From there, the affiliates provide the advertisement links that are sent to the user, the report notes. When the user clicks on the search results, they are sent to one of the provided advertisement links instead of their intended destination. In addition, Koobface will receive and display URLs to bogus antivirus software landing pages or directly push rogue security software binaries to infected computers.

"There were considerable variations in the total amounts earned from affiliates, although not all affiliates were active over the entire time span," according to the report. "Overall, Koobface operators earned roughly the same amount from rogue security software affiliates as they did from PPC affiliates. However, the income generated from PPC affiliates was generally stable while the income generated from rogue security software affiliates was volatile."

Koobface was first spotted in December 2008. Since then, it has been making the rounds on many of the world's most popular social networks, including Facebook (which the malware mimics with its anagram name), MySpace and Twitter. As the malware proliferated, the operators of the botnet, identified in the report by the names "Ali Baba" and "40 LLC," took to building in countermeasures to stay a step ahead of the security community, the report notes.

"Koobface has created a 'banlist' of IP addresses that are forbidden from accessing Koobface servers," the report notes. "Koobface also monitors their malware links with the Google Safe Browsing API and checks whether their URLs have been flagged as malicious by or Facebook."

Additionally, Koobface's operators have created pages to monitor statistics such as the number of malware installations and the speed and availability of the Web servers that host their landing pages. Koobface also checks to ensure that the most recent versions of the malware loader and landing pages are present, and has an interface to monitor their CAPTCHA-breaking system, according to the paper.

"Botnets require a command and control infrastructure in order to maintain and manage a network of compromised computers," the report notes. "Consequently, botnet operators must rent or acquire servers for this purpose. There are a variety of crime-friendly hosting services that are known as "bullet proof" hosting because they protect their clients from abuse complaints and takedown requests."

"For instance, we discovered a file on a Koobface server that contained details of two complaints made about Koobface's activities," the report continues. "It appears that one of Koobface's previous hosting providers had forwarded complaints from the security community directly to the operators of Koobface. Koobface appears to rely on at least one crimeware host known as MiraxNetworks."

There is also evidence of collaboration between the Koobface crew and other botnet operators. For example, Koobface has been found spreading in connection with Bredolab, Piptea and Meredrop, the research notes.

Botnet operators, such as those behind Koobface, do make mistakes however, Villeneuve blogged, making information sharing and persistent monitoring an effective way to uncover details of botnet operations.

It is important, Villeneuve blogged, "that the law enforcement and security community continue to share information and work closely together. An understanding of the inner workings of crimeware networks allows law enforcement to pursue leads and the security community to develop better defenses against malware attacks."