Recommended Product
Network Security Audit Software
Network Security Audit Software and Computer Security Tools
  Learn More
 
 
  Network Security Software
Network Bandwidth Monitor

Network Bandwidth Monitor
NBMonitor displays real-time details about your network connections & bandwidth usage.

   
Network Access Monitoring

Network Access Monitoring
ShareAlarmPro monitors network access to shared folders and resources.

   
Product Key Finder
Product Key Finder

Product Key Explorer retrieves over 800 software product keys from network computers.
   
Network Shares Monitoring

Network Share Watcher
Monitors network folders permissions and identify shares which are violating company data access policy.

 
 

Network Security News

Researchers take down Koobface servers

November 13 2010

Security researchers, working with law enforcement and Internet service providers, have disrupted the brains of the Koobface botnet. Late Friday afternoon, Pacific Time, the computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline. According to Nart Villeneuve the chief research officer with SecDev Group, the server was one of three Koobface systems taken offline Friday by Coreix took down the servers after researchers contacted U.K. law enforcement, Villeneuve said. The company could not be reached immediately for comment.

The takedown will disrupt Koobface for a time, but for any real effect, much more will have to happen. Machines that are infected by Koobface connect to intermediary servers -- typically Web servers that have had their FTP credentials compromised -- that then redirect them to the now-downed command and control servers.

Friday's takedown is part of a larger operation that first started two weeks ago. Villeneuve and his team have notified the ISPs about the compromised FTP accounts, and they've also tipped off Facebook and Google to hundreds of thousands of Koobface-operated accounts.

The Facebook accounts are used to lure victims to Google Blogspot pages, which in turn redirect them to Web servers that contain the malicious Koobface code. Victims are usually promised some interesting video on a page designed to look like YouTube. But first they must download special video software. That software is actually Koobface.

Koobface includes several components, including worm software that automatically tries to infect Facebook friends of the victims, and botnet code that gives the hackers remote control of the infected computer.

Koobface has turned out to be a pretty lucrative business since it first popped up on Facebook in July 2008. In a report published Friday, Villeneuve says that the botnet made more than US$2 million between June 2009 and June 2010.

Researchers found data stored on another central server, called "the mothership" used by the Koobface gang to keep track of accounts. This server sent daily text messages to four Russian mobile numbers each day, reporting the botnet's daily earnings totals. Revenue ranged from a loss of $1,014.11 on Jan. 15 of this year to a profit of $19,928.53 on March 23.

Payments were made to Koobface's operators through the Paymer payment service, similar to eBay's PayPal.

The gang's creators would use their hacked computers to register more Gmail, Blogspot and Facebook accounts and steal FTP (File Transfer Protocol) passwords. They also messed up their victims' search results to trick them into clicking on online ads, generating referral money from advertising companies. More cash came from fake antivirus software that Koobface can sneak onto victims' PCs.

Almost exactly half of Koobface's income -- just over $1 million [m] -- came from the fake antivirus software. The other half came from online advertising fees.

Villeneuve doesn't identify the Koobface gang in the report, but he thinks that at least one of the members lives in St. Petersburg.

Interestingly, Koobface's operators could have caused more damage. They could have broken into online bank accounts, or stolen passwords or credit card numbers, but they didn't.

"The Koobface gang had a certain charm and ethical restraint," the report sates. "They communicated with security researchers about their intents and their desire not to do major harm. They limited their crimes to petty fraud, albeit massive in scale and scope. But the scary part is that they could have easily done otherwise."

They may not be so friendly with researchers from now on, however.

Villeneuve has handed over information to the Royal Canadian Mounted Police, the U.S. Federal Bureau of Investigation, and U.K. authorities. And the researchers have also notified Facebook, Google and various ISPs about the fraudulent and compromised accounts. They have identified 20,000 fake Facebook accounts; 500,000 fake Gmail and Blogspot accounts, and thousands of compromised FTP accounts used by the gang.

They hope that these activities will disrupt the botnet's operations, but Villeneuve has no illusions about Koobface being stopped. "I think that they'll probably start up pretty soon, and they'll probably try to recover as many of their bots as soon as they can," he said.
oreix, a U.K. Internet service provider. "Those are all on the same network, and they're all inaccessible right now," Villeneuve said Friday evening.

View more news

 
  Most Popular
 
 
  Popular Searches
 

 

Sponsored Links
Network Security Auditor
Nsauditor is a complete networking utilities package that includes more than 45 network tools and utilities for network auditing, scanning,network connections monitoring and more. For more information, please visit:
www.nsauditor.com


Password Recovery Software
SpotAuditor is All-in-one password recovery program that offers administrators and users a comprehensive solution for recovering passwords and other critical business information saved in users' computers. For more information, please visit:
www.password-recovery-software.com

BlueAuditor - Monitor YourBluetooth Network
BlueAuditor detects and monitors Bluetooth devices in a wireless network and allows network administrators to audit wireless networks against security vulnerabilities associated with the use of Bluetooth devices. For more information, please visit:
nsauditor.com/bluetooth_network_scanner.html