Researchers Take Down Koobface Servers
Researchers have taken down the command and control servers used by the Koobface botnet.
Sat, November 13, 2010
IDG News Service — Security researchers, working with law enforcement and Internet service providers, have disrupted the brains of the Koobface botnet.
Late Friday afternoon, Pacific Time, the computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline. According to Nart Villeneuve the chief research officer with SecDev Group, the server was one of three Koobface systems taken offline Friday by Coreix, a U.K. Internet service provider. "Those are all on the same network, and they're all inaccessible right now," Villeneuve said Friday evening.
Coreix took down the servers after researchers contacted U.K. law enforcement, Villeneuve said. The company could not be reached immediately for comment.
The takedown will disrupt Koobface for a time, but for any real effect, much more will have to happen. Machines that are infected by Koobface connect to intermediary servers -- typically Web servers that have had their FTP credentials compromised -- that then redirect them to the now-downed command and control servers.
Friday's takedown is part of a larger operation that first started two weeks ago. Villeneuve and his team have notified the ISPs about the compromised FTP accounts, and they've also tipped off Facebook and Google (GOOG) to hundreds of thousands of Koobface-operated accounts.
The Facebook accounts are used to lure victims to Google Blogspot pages, which in turn redirect them to Web servers that contain the malicious Koobface code. Victims are usually promised some interesting video on a page designed to look like YouTube. But first they must download special video software. That software is actually Koobface.
Koobface includes several components, including worm software that automatically tries to infect Facebook friends of the victims, and botnet code that gives the hackers remote control of the infected computer.
Koobface has turned out to be a pretty lucrative business since it first popped up on Facebook in July 2008. In a report published Friday, Villeneuve says that the botnet made more than US$2 million between June 2009 and June 2010.
Researchers found data stored on another central server, called "the mothership" used by the Koobface gang to keep track of accounts. This server sent daily text messages to four Russian mobile numbers each day, reporting the botnet's daily earnings totals. Revenue ranged from a loss of $1,014.11 on Jan. 15 of this year to a profit of $19,928.53 on March 23.
Payments were made to Koobface's operators through the Paymer payment service, similar to eBay's (EBAY) PayPal.
The gang's creators would use their hacked computers to register more Gmail, Blogspot and Facebook accounts and steal FTP (File Transfer Protocol) passwords. They also messed up their victims' search results to trick them into clicking on online ads, generating referral money from advertising companies. More cash came from fake antivirus software that Koobface can sneak onto victims' PCs.