The Information Warfare Monitor (Citizen Lab, Munk School of Global Affairs, University of Toronto and The SecDev Group, Ottawa) announce the release of Koobface: Inside a Crimeware Network by Nart Villeneuve, with a foreword by Ron Deibert and Rafal Rohozinski.
This report (PDF) documents the inner workings of Koobface—a botnet that spreads by compromising the computers of users of social networking platforms and placing them under the control of the botnet’s operators for the purpose of monetization.
Between April and November 2010, the Information Warfare Monitor conducted an investigation into the operations and monetization strategies of the Koobface botnet. The researchers discovered archived copies of Koobface’s infrastructure on a well-known Koobface command and control server. The data revealed a wealth of information about the inner workings of the botnet, including information on the malware, code, and database used to maintain the botnet as well as its monetization strategies. With this data, the Information Warfare Monitor was able to gain an in-depth understanding of how Koobface worked.
Koobface: Inside a Crimeware Network details Koobface’s propagation strategies, counter-security measures, and business model. The report contributes to the cybercrime literature by shedding light on the malware ecosystem that enables and sustains cybercriminal activity, and by demonstrating that it is possible to leverage the mistakes made by cybercriminals in order to better understand the scope of their operations.
- Koobface relies on a network of compromised servers that are used to relay connections from compromised computers to the Koobface command and control server. This creates a complex and tiered command and control infrastructure.
- Koobface maintains a system that uses social networking platforms, such as Facebook, to send malicious links. Social networking platforms allow Koobface to exploit the trust that humans have in one another in order to trick users into installing malware and engaging in click fraud.
- Koobface exists within a crime-friendly malware ecosystem that consists of buyers and sellers of the tools and infrastructure required to maintain a botnet. Koobface operators rely on relationships with other botnet operators and cybercriminals to sustain their operations.
- The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs and forcing compromised computers to install malicious software and engage in click fraud, the Koobface operators earned over US$2 million between June 2009 and June 2010.
- The operators of Koobface are employing technical countermeasures to ensure that the operations of the botnet remain undisrupted. The operators regularly monitor their malicious links to ensure that they have not been flagged as malicious.
- Botnet operators benefit from the fact that their criminal acts spread across multiple jurisdictions. Issues of overlapping jurisdictions and international politics often complicate investigations and hinder law enforcement and takedown efforts. Furthermore, cross-border investigations are at times hampered by a lack of priority and willingness to respond. This is because criminal activity in any one jurisdiction appears minimal while in fact the sum of Koobface’s criminal activities is significant.