The KOOBFACE botnet is known for using the pay-per-install (PPI) and pay-per-click (PPC) business models in order to make money. In 2009 alone, the KOOBFACE gang earned about US$2 million.
This was, however, not enough, as the gang upgraded their botnet framework with the creation of a sophisticated traffic direction system (TDS) that handles all of the traffic referenced to their affiliate sites. They also introduced new binary components to help increase the amount of Internet traffic that goes to their TDS, which translates to even bigger profit.
The KOOBFACE gang’s TDS redirected traffic to advertising sites from which they earn referral money or to several of their affiliate sites. Note that websites that use the referral business model such as advertising and affiliate sites earn more as the Internet traffic to their sites increases. To more clearly see how the new TDS allows the gang to earn more, look at the diagram below, along with the list of steps taken to achieve it:
- Create and register email addresses. Because the KOOBFACE botnet can no longer automatically create Google accounts for malicious schemes, the gang automated Yahoo! Mail account creation instead. This allowed them to create the Google accounts they would need.
- Create social network accounts. The email addresses the KOOBFACE botnet creates are then used to sign up for social networks such as Twitter, Tumblr, FriendFeed, FC2, livedoor, So-net, and Blogger. Some accounts were also created in altervista.org. The domains of the blog accounts the botnet creates contained words such as “news” or “2011 news”.
- Collect images. The KOOBFACE gang introduced a new binary component that primarily gathers pornographic images; pictures of celebrities, weddings, tattoos, and cars; as well as desktop wallpaper images from Google‘s image search. These are used in the blog posts the gang members create.
- Step 5: Share links to posts via social networks. To further increase traffic to the malicious blog posts, which eventually lead to affiliate sites, the KOOBFACE gang also actively spread related keywords on the Web and promote the said posts via social networks such as Twitter, Tumblr, AOL Lifestream, and FriendFeed. They do so with the aid of several binary components that each caters to a target social networking site.
TDS creation definitely provided the KOOBFACE gang a means to more efficiently target celebrity fans, online daters, casual porn surfers, and car enthusiasts. Their TDS allowed them to efficiently handle the increase in the number of unwitting users who land on specially crafted blog posts that lead to various advertising, click-fraud, and other affiliate sites, which all translate to profit.
The KOOBFACE gang is clearly still up to no good and will most probably continue victimizing users. As such, we advise their target platforms to push through with efforts to avoid bot-automated interactions and to implement stricter security measures to protect their users from cybercriminal abuse.
Users, for their part, are strongly urged to use security solutions that can help mitigate the threats KOOBFACE poses. Trend Micro products, powered by the Smart Protection Network™ infrastructure, for instance, can effectively block user access to KOOBFACE-controlled sites that host updated components, including the TDS URL via the Web Reputation Technology.
Download our newest KOOBFACE research paper, More Traffic, More Money: KOOBFACE Draws More Blood for more information on how KOOBFACE’s TDS works as well as how the botnet’s binaries work together in order to increase the amount of Internet traffic that goes to the gang’s TDS.
Share this article