Just as the saying goes that there are many ways to skin a cat, threat investigation can also be done a handful of different ways, employing various expertise, especially when dealing with a threat employing several pieces of malware and a relatively robust C&C infrastructure.
But even though methodologies may change, whether through reverse engineering or analysis of the botnet infrastructure, the goal of understanding what the threat is all about is the number one priority.
Trend Micro is fortunate enough to have several experts under its fold who are able to attack the challenge using different means. And we are proud to say that our technical analysis and due diligence in monitoring Koobface activities made us understand the botnet intimately, and enabled us to respond and apply the appropriate solution to protect our customers.
Koobface at Its Peak
At its peak, Koobface was popularly known as the malware propagating through the (then) steeply rising social network Facebook, but of course, it was more than that.
Back in 2008-2009, Facebook was just becoming the dominant social network that it is now, and was just starting to distance itself from the likes of Myspace, Twitter, Friendster, myyearbook, etc.
Our first research paper about Koobface provided detailed overview that Koobface was not only exclusively propagating on Facebook, and that it also utilized the other social networks popular during that time. We also presented that once a system is infected by the Koobface malware, additional pieces of malware are installed into the system, which are then used to either monetize infected user traffic, or use the affected machine as part of the Koobface C&C infrastructure.
Koobface and Its C&C
Our findings led us to the second research paper, which delved deeper into the C&C infrastructure and communication. Here, we were able to discover the various levels of control available for the Koobface gang – from the fine grained control of social engineering messages to be spammed by the infected user, to the various components, accounts, infrastructure and commands available to the Koobface gang.
It was also during this phase that we were able to decipher the C&C protocol and commands and monitor the botnet activities. We discovered the Facebook and Google accounts they control, debunked the theory that the Koobface gang is employing cheap workers in India to crack CAPTCHAS, and came to the realization that we are security professionals fighting against real people behind the Koobface bot – as takedown attempts and detection measures were circumvented a few hours/days after discovery.
But we couldn’t consider our research done if we weren’t able to figure out what this is all about. Nobody gives that much time and effort for nothing, so the question that remained was – what’s in it for the Koobface gang?
The Monetization of Koobface
We found out the answer to this question and presented our findings through the third part of our research paper, as we were able to gather proof that the Koobface gang is involved in criminal activities such as FakeAV installation, clickfraud, information stealing and online dating.
It was also at this point when we reached out to the greater security community for intelligence sharing and collaboration. An operation as big as Koobface needs the expertise of other researchers, investigators and involved parties for mitigation. So we reached out to independent investigators such as Jan Droemer, involved parties such as Facebook and Google, and even researchers employed by competitors Kaspersky and Sophos. Of course, several law enforcemenst were also put in the loop.
The Evolution of Koobface
During all these years, we are proud to say we here at Trend Micro has shown the effort and diligence to keep Koobface on our radar. Our fourth report on Koobface details how the Koobface gang changed the C&C architecture, modified the malware binaries, and improved the backend services in order to become more resilient to takedowns and evade simplistic blocking/detection solutions.
Koobface Draws More Blood
As further evidence of Trend Micro’s commitment to this effort, we released our fifth installment of our Koobface research just last month, detailing how the Koobface gang adjusted to strict security checks by Facebook, by making use of Twitter and Blogspot (instead of Facebook) and TDS (Traffic Direction Systems) to divert and monetize user Internet traffic and maintain the gang’s cash flow.
We did these things while working with the appropriate channels and withholding ourselves from revealing sensitive information that will interfere with on-going operations by various law enforcement.
However, this sensitive information regarding one of the Koobface operators were prematurely published by a blogger without coordination with the community involved. This happened before any of the desired results (i.e. arrests) happened. The slow pace of the LE investigation is understandable – the standards of evidence are much higher for LE that they eventually have to go to court. This necessarily takes time.
Let’s hope that the current situation would serve as a ‘last push’ for LE, so that this whole “Koobface saga” will end up with the arrests of the perpetrators, and the dismantling of their infrastructure – a success story like what happened in Operation Ghost Click.
Trend Micro researchers Jonell Baltazar, Ryan Flores, Joey Costoya and Nart Villenueve all devoted significant amounts of time and effort in tracking the Koobface threat.
You may also check this report developed by our friends from Sophos together with independent security researcher Jan Droemer.