In association with heise online

18 May 2010, 17:32

A message from the Koobface gang

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The group behind the Koobface botnet has responded to an article by security specialist Dancho Danchev with a message inside a piece of HTML code for spreading crafted video codecs. In February, Danchev published a number of suppositions about the group's modus operandi, connections to other criminals and motives in an article entitled "10 things you didn't know about the Koobface gang".

Koobface (an anagram of Facebook) has been around since mid 2008 and spreads via infected home computers, often as a fake Flash Player. The bots function as servers for malware and have been implicated in scareware distribution. Koobface spreads links to these computers via Facebook messages and suchlike.

In his article, Danchev points up a possible connection between Koobface and click-fraud botnet Bahama. The response from putative Koobface boss 'Ali Baba' is "No connection". Danchev also mocked the group for using a demo version of Hypersnap to generate a screenshot for embedding in a fake YouTube page, despite the revenue flows their activities are assumed to have generated. Ali Baba responds, "What's reason to buy software just for one screenshot?"

The Koobface head honcho also rejects Danchev's supposition that Koobface was connected to infected banner ads on the online version of the New York Times in September 2009. The group behind the attacks succeeded in inserting banner ads into the newspaper's advertising network, which were then displayed when users visited the web site. Visitors to the web site were sporadically served scareware messages.

The group does, however, admit to having been involved in manipulating hundreds of thousands of web sites as part of a scareware campaign in 2009. Danchev's speculation that the Koobface group receives revenues from the 'Crusade Affiliates' scareware network prompts a surprising response, "Maybe. not 100% sure".

See also:

(crve)

Print Version | Send by email | Permalink: http://h-online.com/-1002518
 


  • July's Community Calendar





The H Open

The H Security

The H Developer

The H Internet Toolkit