Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • Networking

    How the Koobface Botnet Made $2 Million in a Year

    By
    Brian Prince
    -
    November 13, 2010
    Share
    Facebook
    Twitter
    Linkedin

      A new report has pulled the veil away from the Koobface botnet, exposing how the operation made more than $2 million between June 2009 and June 2010.

      The money-making schemes of the Koobface gang were revealed in a sweeping paper (PDF) released by Information Warfare Monitor (IWM), a joint venture backed by researchers from the SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the University Toronto. The report, entitled “Koobface: Inside a Crimeware Network,” lays out a myriad of information about both the botnet’s infrastructure and how its operators have turned an army of bots into millions of dollars.

      “Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud,” blogged Nart Villeneuve, author of the report and chief research officer at SecDev. “This, of course, does not occur in a vacuum but within a malware ecosystem that sustains and monetizes botnet operations.”

      The data revealed in the report has been turned over to law enforcement, and the command and control server used to send instructions to infected machines has reportedly been taken offline.

      In the paper, Villeneuve wrote that IWM had discovered a URL path on “a well-known Koobface command and control server” and had been able to download archived copies of the command and control infrastructure. From there, they were able to gain information about the malware, code and database used to maintain Koobface, as well as the gang’s affiliate programs.

      “The Koobface operators maintain a server known as the mothership,” the report states. “The mothership acts as an intermediary between the PPC (pay-per-click) and rogue security software affiliates and the compromised victims. This server receives intercepted search queries from victims’ computers and relays this information to Koobface’s PPC affiliates.”

      From there, the affiliates provide the advertisement links that are sent to the user, the report notes. When the user clicks on the search results, they are sent to one of the provided advertisement links instead of their intended destination. In addition, Koobface will receive and display URLs to bogus antivirus software landing pages or directly push rogue security software binaries to infected computers.

      “There were considerable variations in the total amounts earned from affiliates, although not all affiliates were active over the entire time span,” according to the report. “Overall, Koobface operators earned roughly the same amount from rogue security software affiliates as they did from PPC affiliates. However, the income generated from PPC affiliates was generally stable while the income generated from rogue security software affiliates was volatile.”

      Koobface was first spotted in December 2008. Since then, it has been making the rounds on many of the world’s most popular social networks, including Facebook (which the malware mimics with its anagram name), MySpace and Twitter. As the malware proliferated, the operators of the botnet, identified in the report by the names “Ali Baba” and “40 LLC,” took to building in countermeasures to stay a step ahead of the security community, the report notes.

      “Koobface has created a ‘banlist’ of IP addresses that are forbidden from accessing Koobface servers,” the report notes. “Koobface also monitors their malware links with the Google Safe Browsing API and checks whether their URLs have been flagged as malicious by bit.ly or Facebook.”

      Additionally, Koobface’s operators have created pages to monitor statistics such as the number of malware installations and the speed and availability of the Web servers that host their landing pages. Koobface also checks to ensure that the most recent versions of the malware loader and landing pages are present, and has an interface to monitor their CAPTCHA-breaking system, according to the paper.

      “Botnets require a command and control infrastructure in order to maintain and manage a network of compromised computers,” the report notes. “Consequently, botnet operators must rent or acquire servers for this purpose. There are a variety of crime-friendly hosting services that are known as “bullet proof” hosting because they protect their clients from abuse complaints and takedown requests.”

      “For instance, we discovered a file on a Koobface server that contained details of two complaints made about Koobface’s activities,” the report continues. “It appears that one of Koobface’s previous hosting providers had forwarded complaints from the security community directly to the operators of Koobface. Koobface appears to rely on at least one crimeware host known as MiraxNetworks.”

      There is also evidence of collaboration between the Koobface crew and other botnet operators. For example, Koobface has been found spreading in connection with Bredolab, Piptea and Meredrop, the research notes.

      Botnet operators, such as those behind Koobface, do make mistakes however, Villeneuve blogged, making information sharing and persistent monitoring an effective way to uncover details of botnet operations.

      It is important, Villeneuve blogged, “that the law enforcement and security community continue to share information and work closely together. An understanding of the inner workings of crimeware networks allows law enforcement to pursue leads and the security community to develop better defenses against malware attacks.”

      Brian Prince
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×