Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    The KOOBFACE botnet is known for using the pay-per-install (PPI) and pay-per-click (PPC) business models in order to make money. In 2009 alone, the KOOBFACE gang earned about US$2 million.

    This was, however, not enough, as the gang upgraded their botnet framework with the creation of a sophisticated traffic direction system (TDS) that handles all of the traffic referenced to their affiliate sites. They also introduced new binary components to help increase the amount of Internet traffic that goes to their TDS, which translates to even bigger profit.

    The KOOBFACE gang’s TDS redirected traffic to advertising sites from which they earn referral money or to several of their affiliate sites. Note that websites that use the referral business model such as advertising and affiliate sites earn more as the Internet traffic to their sites increases. To more clearly see how the new TDS allows the gang to earn more, look at the diagram below, along with the list of steps taken to achieve it:

    Koobface TDS

    1. Create and register email addresses. Because the KOOBFACE botnet can no longer automatically create Google accounts for malicious schemes, the gang automated Yahoo! Mail account creation instead. This allowed them to create the Google accounts they would need.
    2. Create social network accounts. The email addresses the KOOBFACE botnet creates are then used to sign up for social networks such as Twitter, Tumblr, FriendFeed, FC2, livedoor, So-net, and Blogger. Some accounts were also created in The domains of the blog accounts the botnet creates contained words such as “news” or “2011 news”.
    3. Collect images. The KOOBFACE gang introduced a new binary component that primarily gathers pornographic images; pictures of celebrities, weddings, tattoos, and cars; as well as desktop wallpaper images from Google‘s image search. These are used in the blog posts the gang members create.
    4. Create blog posts. The KOOBFACE botnet abuses popular Japanese blogging platforms such as FC2, Livedoor, So-net, Jugem, and Cocolog, apart from good old Google‘s Blogger via a dedicated malware component that creates blog accounts while others retrieve content or blog posts from the proxy command-and-control (C&C) server. The said posts are then automatically uploaded to the target platforms. These contain images, links, and keywords that help increase the sites’ search engine optimization (SEO) ranking, along with an obfuscated JavaScript code that references the botnet’s TDS domain. This allows the TDS to track the number of visits to each blog post and to redirect visitors to the botnet’s affiliate sites. The botnet makes money from the clicks victims make while reading blog posts and from the traffic the TDS directs to designated final landing sites.
    5. Step 5: Share links to posts via social networks. To further increase traffic to the malicious blog posts, which eventually lead to affiliate sites, the KOOBFACE gang also actively spread related keywords on the Web and promote the said posts via social networks such as Twitter, Tumblr, AOL Lifestream, and FriendFeed. They do so with the aid of several binary components that each caters to a target social networking site.

    TDS creation definitely provided the KOOBFACE gang a means to more efficiently target celebrity fans, online daters, casual porn surfers, and car enthusiasts. Their TDS allowed them to efficiently handle the increase in the number of unwitting users who land on specially crafted blog posts that lead to various advertising, click-fraud, and other affiliate sites, which all translate to profit.

    The KOOBFACE gang is clearly still up to no good and will most probably continue victimizing users. As such, we advise their target platforms to push through with efforts to avoid bot-automated interactions and to implement stricter security measures to protect their users from cybercriminal abuse.

    Users, for their part, are strongly urged to use security solutions that can help mitigate the threats KOOBFACE poses. Trend Micro products, powered by the Smart Protection Network™ infrastructure, for instance, can effectively block user access to KOOBFACE-controlled sites that host updated components, including the TDS URL via the Web Reputation Technology.

    Another alternative is using a Web browser that effectively blocks the possible execution of malicious JavaScript codes. This prevents the malicious JavaScript code KOOBFACE uses from executing malicious routines. Note, however, that using such a browser will disable even non-malicious JavaScript codes from legitimate sites from running, leaving users with a rather bad Web browsing experience.

    Download our newest KOOBFACE research paper, More Traffic, More Money: KOOBFACE Draws More Blood for more information on how KOOBFACE’s TDS works as well as how the botnet’s binaries work together in order to increase the amount of Internet traffic that goes to the gang’s TDS.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice