Koobface servers closed down

The Koobface botnet took a serious hit last weekend as servers hosting its command and control (C&C) centre were taken down.

The main C&C centre was located on servers based at UK hosting company Coreix.

Alan Dean, financial director at Coreix, confirmed the company had suspended services to three servers last week as part of an investigation into the Koobface gang.

"Those investigations are ongoing. We therefore do not wish to make any further statement at the moment which might, even in some small way, impact on those investigations," Dean told IT PRO.

"We stress our commitment to working with police to bring the perpetrators of crime to justice and to removing any sites or services which breach any laws or the terms of our Acceptable Use Policy."

Between June 2009 and June 2010, Koobface was able to earn its operators US$2 million as it forced victims to download malware and then help carry out click fraud, according to research undertaken by the Information Warfare Monitor.

This click fraud would generate funds through pay-per-click and pay-per-install schemes, the report found.

Infected computers were forced to fake clicks on ads or install buttons. Every time a click was faked, money would be handed to the operators from other members of affiliate programmes.

Cyber criminals also used Koobface to tempt web users into paying for fake anti-virus products, earning the operators US$1 million.

“Botnet operators, such as those behind Koobface, do make mistakes,” said Nart Villeneuve, chief research officer for SecDev, who led the research project.

“Information sharing and persistent monitoring can uncover the details of botnet operations. Therefore, it is important that the law enforcement and security community continue to share information and work closely together,” he said in a blog.

Koobface has used social networks to spread and is known to be one of the most sophisticated pieces of malware circulating the web today.

The masterminds behind Koobface, also known as Ali Baba and 40 LLC, used it to send messages containing malicious links over the likes of Facebook.

The links took victims to fake YouTube pages where they were encouraged to download malware with temptations such as a software upgrade.

Koobface was running through a massive number of accounts, including 500,000 fake Google blogger and Gmail accounts set up by the botnet. Typically botnets will use infected machines to set up these fake accounts.

A total of 20,000 fake Facebook accounts were also used by Koobface - itself an anagram of 'Facebook' - to spread the malicious messages.

Both Google and Facebook have been contacted by the researchers, who informed the tech giants about a number of fraudulent accounts.

Last month, researchers discovered a Mac version the Koobface worm for the first time.

This article originally appeared at itpro.co.uk