Koobface server taken down
A UK internet service provider (ISP) has taken the Koobface social networking botnet Command-and-Control server off-line after security specialists from the SecDev Group informed the UK investigative authorities about the server. While this will temporarily obstruct the botnet, it doesn't mean that the individuals behind Koobface have been neutralised. It's probably only a matter of time until the infected computers are redirected to a new server.
According to an analysis by Canadian security firm SecDev, Koobface (an anagram of Facebook) is mainly propagated via social networks. There, it sends links to web sites that will infect users' computers with malware. The botnet operators earn money by making the hijacked PCs click on online ads or links to download scareware. Although every click only does minimal damage, cumulatively the botnet is extremely effective for its operators.
The Koobface protagonists deliberately try to distance themselves from "bad trojans" such as ZeuS: " Our software did not ever steal credit card or online bank information, passwords or any other confidential data. And will not ever", they say. However, they have subsequently harvested passwords for email, Facebook and IM accounts.
The Koobface business model with its innumerable minute transactions protects the criminals behind the botnet from becoming major prosecution targets. The financial damage incurred in each case is only very small, although the vast number of cases overall does produce large sums. According to an analysis by SecDev, the Koobface protagonists earn about $2 million per year.
However, the police and public prosecutors often have a hard time trying to identify actual offences or cases of loss that would justify the investigation effort required to prosecute those responsible. Furthermore, the business operates on a multi-national level, which creates the need for time-consuming mutual assistance requests. SecDev said "We were [therefore] not surprised that there has been no arrest or prosecution [in the Koobface case]".
The operation against Koobface had already been in progress on several levels for two weeks: The SecDev team lead by Nart Villeneuve informed ISPs about compromised FTP accounts and told Facebook and Google about several hundred thousand accounts that are operated by Koobface. However, this won't be the end of the botnet. "Koobface will surely live to see another day as long as the individuals behind it roam free", suspects Villeneuve.
- Koobface variant as a trojan for Mac OS X, a report from The H.
- A message from the Koobface gang, a report from The H.
- Microsoft helps Facebook administer a worming, a report from The H.