The Koobface gang is arguably one of the better known cybercriminal groups out there. Koobface first came on the scene in 2008 as one of the first social network worms. The Koobface worm built up a botnet of infected systems and has been active in some form or other since then, making it one of the longest continuously operating botnets. since discovery. The Koobface gang’s notoriety stems in part from that staying power.
But it’s no accident that Koobface has been around this long; the Koobface gang are keen businessmen. Trend Micro’s latest TrendLabs research shows they’ve taken an unprecedented step to maintain the botnet’s constant presence by expanding their business model and make money not just from criminal activities but also from manipulating legitimate money-making schemes. Koobface isn’t just cybercrime; it’s a true cybercriminal business enterprise, perhaps better thought of now as Koobface, Inc.
Like most major botnets, Koobface is ultimately about money. Some of the most interesting research in 2008 was about how Koobface made money. And the Koobface gang has shown a readiness to adapt through the years. They’ve added new features, improved the security of their product, and even moved their operations. In these ways they’ve acted like a professional software development shop. So it’s not surprising that they’re willing to change not just their product but their business tactics. Still, in the history of botnets the new business model is a unique development.
The Koobface gang’s model of making money from the pay-per-install (PPI) and pay-per-click (PPC) markets is still in place. This brought the gang a healthy US$2 million in 2009 alone. But to bring in even more money, they’ve expanded to make money off the Internet traffic business. They’ve added components to Koobface that enable them to direct Internet traffic to whatever sites they want.
This allows them to make money two ways. First, they can sell this controlled traffic to others, essentially renting out their control over victims machines. The other way they make money is to direct traffic to legitimate sites that participate in affiliate and advertising programs. With these sites under their control they can earn money legitimately, though the traffic itself is not. TrendLabs identified four categories where Koobface, Inc. gang is earning affiliate money:
- Adult online dating sites
- Google AdSense sites
- Rogue online search sites
- Video-streaming sites
TrendLabs research shows that this new business is in the early stages; starting in July 2011. Accurate numbers are hard to come by, but there is evidence that they were able to direct nearly 513,000 visitors to one of their affiliate sites making as much as US$1,250 for the traffic. While that may not sound like much, it is one site of potentially hundreds or thousands, in only two months. As with the PPI/PPC model, this is a high volume business that yields a respectable new revenue stream in aggregate.
The idea of a criminal enterprise acting like a legitimate business, and earning legitimate money, isn’t new. It was a central theme in the movie The Godfather Part III. Michael Corleone tried to expand into legitimate businesses because that made the most financial sense. With these recent changes to their botnet, the Koobface gang is showing that business is business, even when it’s the criminal botnet business.