The crew behind the Koobface worm, who have been quite open about their exploits and financial gains from their work in the past, now seem to be ducking underground as pressure is building on them in the wake of exposures of their operation and real identities. The command-and-control server used to run the Koobface botnet, known as the Mothership, is now offline and new infections seem to have dropped off, experts say.
Several reports this week have named the alleged operators of the Koobface botnet as a small group of Russian men living in and around St. Petersburg. The identities of the men have been known to security researchers tracking Koobface for some time now, and the researchers have had a good handle on how the group operates, makes its money and infects users, as well. Mostly, the group made money through click fraud and pay-per-click schemes that are predicated upon victims installing a piece of malware that masquerades as a new version of Adobe Flash that the user must install in order to watch a funny video that, of course, doesn’t exist.
Security officials at Facebook have been tracking the activities of the Koobface gang, as the social networking site has been the main infection vector for the malware. This week the company, along with some other researchers, published the names of the people they believe to be responsible for the Koobface infections. Within a day or so of the disclosures, the alleged attackers had begun cleaning up their operation and covering the tracks they’ve been leaving all over the Internet for the last few years. Prior to that, the group had been rather careless about trying to throw researchers and investigators off the scent, and researchers were able to track them through social media profiles and posts and had access to their C&C server for some time, as well.
A long, detailed report from a group of academic researchers in November 2010 revealed much of the details of the Koobface gang’s technical and financial operations, including the methods they use for monetization. The researchers from Infowar Monitor were able to identify the men behind the Koobface worm and also knew where they lived. But they didn’t reveal any of their identities publicly, instead handing it over to law enforcement officials in Canada.
“Our botnet monitoring and research activities discovered a URL path on a well-known Koobface command and control server from which we were able to download archived copies of Koobface’s command and control infrastructure. The contents of these archives revealed the malware, code, and database used to maintain Koobface. It also revealed information about Koobface’s affiliate programs and monetization strategies,” the InfoWar Monitor report says.
“The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud.”
A Facebook security official told Reuters that the C&C server used by the Koobface gang is now offline, and researchers say that the gang also has essentially dropped offline in the last couple of days. This has made life much more difficult for the officials and researchers who have been tracking the crew.
Koobface first popped up in late 2008 and began infecting users on Facebook and a variety of other social networks. The crew behind the infections gradually shifted their tactics and techniques as researchers began to respond to the attack. And while the identities of the alleged attackers have been known for more than a year now, no prosecutions have materialized. Now that the crew seems to have gone further underground, finding and prosecuting the attackers will be even more problematic.