The KOOBFACE botnet continuously evolves to keep on generating profit for its perpetrators. The fact that the botnet is still alive shows that the cybercriminals behind it are making a fortune off it.

In our effort to conduct research on and to monitor the latest developments made to the KOOBFACE botnet, we have noticed several changes in the way it operates. Some of the major changes the botnet has undergone from when we started unmasking it include the following:

1. Using proxy command-and-control (C&C) servers
2. Encrypting the gang members’ C&C communications
3. Banning IP addresses from repeatedly accessing KOOBFACE-controlled sites
4. Introducing new binary components
5. Employing several layers of binary protection with the use of more complex packers

These changes pose a greater challenge to security researchers in reverse-engineering existing KOOBFACE binaries and in monitoring the gang members’ C&C communications. Though the changes the gang has made to their botnet have made it interesting, someone has to put a stop to their malicious schemes and put the perpetrators where they belong—behind bars.

For more information on the most recent developments on the KOOBFACE botnet based on our latest findings, read “Web 2.0 Botnet Evolution: KOOBFACE Revisited.” You may also find the following papers a good read to learn more about one of the most notorious botnets in existence today—KOOBFACE:

• “The Real Face of KOOBFACE: The Largest Web 2.0 Botnet Explained”
• “The Heart of KOOBFACE: C&C and Social Network Propagation”
• “Show Me the Money!: The Monetization of KOOBFACE”