Researchers Take Down Koobface Servers
Security researchers, working with law enforcement and Internet service providers, have disrupted the brains of the Koobface botnet.
Late Friday afternoon, Pacific Time, the computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline. According to Nart Villeneuve the chief research officer with SecDev Group, the server was one of three Koobface systems taken offline Friday by Coreix, a U.K. Internet service provider. "Those are all on the same network, and they're all inaccessible right now," Villeneuve said Friday evening.
Coreix took down the servers after researchers contacted U.K. law enforcement, Villeneuve said. The company could not be reached immediately for comment.
The takedown will disrupt Koobface for a time, but for any real effect, much more will have to happen. Machines that are infected by Koobface connect to intermediary servers -- typically Web servers that have had their FTP credentials compromised -- that then redirect them to the now-downed command and control servers.
Friday's takedown is part of a larger operation that first started two weeks ago. Villeneuve and his team have notified the ISPs about the compromised FTP accounts, and they've also tipped off Facebook and Google to hundreds of thousands of Koobface-operated accounts.
The Facebook accounts are used to lure victims to Google Blogspot pages, which in turn redirect them to Web servers that contain the malicious Koobface code. Victims are usually promised some interesting video on a page designed to look like YouTube. But first they must download special video software. That software is actually Koobface.
Koobface includes several components, including worm software that automatically tries to infect Facebook friends of the victims, and botnet code that gives the hackers remote control of the infected computer.
Koobface has turned out to be a pretty lucrative business since it first popped up on Facebook in July 2008. In a report published Friday, Villeneuve says that the botnet made more than US$2 million between June 2009 and June 2010.
Researchers found data stored on another central server, called "the mothership" used by the Koobface gang to keep track of accounts. This server sent daily text messages to four Russian mobile numbers each day, reporting the botnet's daily earnings totals. Revenue ranged from a loss of $1,014.11 on Jan. 15 of this year to a profit of $19,928.53 on March 23.
Payments were made to Koobface's operators through the Paymer payment service, similar to eBay's PayPal.
The gang's creators would use their hacked computers to register more Gmail, Blogspot and Facebook accounts and steal FTP (File Transfer Protocol) passwords. They also messed up their victims' search results to trick them into clicking on online ads, generating referral money from advertising companies. More cash came from fake antivirus software that Koobface can sneak onto victims' PCs.
Almost exactly half of Koobface's income -- just over $1 million [m] -- came from the fake antivirus software. The other half came from online advertising fees.
Villeneuve doesn't identify the Koobface gang in the report, but he thinks that at least one of the members lives in St. Petersburg.
Interestingly, Koobface's operators could have caused more damage. They could have broken into online bank accounts, or stolen passwords or credit card numbers, but they didn't.
"The Koobface gang had a certain charm and ethical restraint," the report sates. "They communicated with security researchers about their intents and their desire not to do major harm. They limited their crimes to petty fraud, albeit massive in scale and scope. But the scary part is that they could have easily done otherwise."
They may not be so friendly with researchers from now on, however.
Villeneuve has handed over information to the Royal Canadian Mounted Police, the U.S. Federal Bureau of Investigation, and U.K. authorities. And the researchers have also notified Facebook, Google and various ISPs about the fraudulent and compromised accounts. They have identified 20,000 fake Facebook accounts; 500,000 fake Gmail and Blogspot accounts, and thousands of compromised FTP accounts used by the gang.
They hope that these activities will disrupt the botnet's operations, but Villeneuve has no illusions about Koobface being stopped. "I think that they'll probably start up pretty soon, and they'll probably try to recover as many of their bots as soon as they can," he said.