It’s not easy being ‘friends’ and now it is getting downright dangerous as the Koobface worm returns with a vengeance
infecting social networking sites such as Facebook and Twitter, according to Kaspersky Lab, a leading developer of secure content management solutions.

The malicious Koobface program(an anagram of Facebook) targets sites such as Facebook and Twitter and uses compromised legitimate websites as proxies for its main command and control server, attempting to gather sensitive information
from the victims such as credit card numbers. It was first detected in December 2008 and a more potent version appeared in March 2009 and it is unfortunately back again in 2010.

How Koobface Does the Nasty

“Koobface spreads by delivering Facebook messages to people who are ‘friends’ of a Facebook user whose computer has already been infected. Once received, the message directs recipients to a third-party website, where they are prompted to download what is purported to be an update of the Adobe Flash player. If they download and execute the file, Koobface is able to infect their system. It can then commandeer the computer’s search engine use and direct it to contaminated websites,” said Ms Gun Suk Ling, Regional Managing Director, SEA, Kaspersky Labs Asia Limited.

Among the components downloaded by Koobface are a DNS filter program that blocks access to some security websites and a proxy tool that enables the attackers to abuse the infected PC.

Increased Activity of Koobface in the Past 2 Weeks

During the past 2 weeks, the Kaspersky Lab research team has observed the Koobface live Command &Control (C&C) servers shut down or cleaned, on average, three times per day. The number dropped steadily from 107 on 25 February, to as low as 71 on 08 March. Then, in just 48 hours, the number grew from 71 to 142, precisely doubling its total number, which all Koobface-infected computers use to get remote commands and updates.

“These latest happenings give us some indications of how the Koobface gang takes care of its infrastructure”, says Stefan Tanase, Senior Regional Researcher, Kaspersky Lab EEMEA. “Based on this, we can conclude that the cybercriminals are constantly monitoring their infrastructure status. They don’t want the number of C&C servers to drop too much, as that would
mean losing their control over the botnet. When the number of active C&C servers drops to a critical level, they seem to be ready to implement dozens of new ones. The total number of Koobface C&C servers is constantly fluctuating, going from over a hundred to under a hundred and back again in a matter of weeks. It seems that when 100 C&C servers are online, the Koobface
gang is relaxed. They also prefer to have their C&C servers distributed across the globe and with different ISPs, in order to make the take-down process harder. However, most of the Koobface C&C servers remain in the United States.”

Ms Gun Suk Ling of Kaspersky Lab shared some tips for users:

Be cautious when opening links in suspicious messages, even if the sender is one of your trusted Facebook friends. Use an up-to-date, modern browser: Firefox 3.x, Internet Explorer 8, Google Chrome, Opera 10 etc.

Divulge as little personal information as possible. Do not give out your home address, telephone number or other private details.
Keep your antivirus software updated to prevent new versions of malware from attacking your computer. Kaspersky Lab users running any of the Company’s current anti-malware products are fully protected from all known variants of Koobface. Kaspersky Lab’s global team of analysts are keeping a close eye on all threats coming from the social networking space, monitoring the malicious activity and constantly updating the protection customers receive.

The Koobface command and control infrastructure can be observed when looking at the evolution of the geographical location of IP addresses used to communicate with the infected computers. The usage of C&C servers is increasing mostly in the United Stated, growing from 48 percent to 52 percent. Currently, more than half of the Koobface C&C servers are hosted in the United States, far exceeding any other country.

4 thoughts on “Kaspersky Lab Discovers Koobface Worm Doubles its Number of Command and Control Servers in 48 Hours”
  1. May I simply just say what a comfort to uncover an individual who actually knows what they’re discussing on the internet.

    You definitely know how to bring an issue to light
    and make it important. A lot more people should read
    this and understand this side of your story.
    I was surprised you’re not more popular given that you most certainly have the gift.

  2. Merely to follow up on the up-date of this subject on your website and would like to let you know just how much I liked the time you took to generate this beneficial post.
    In the post, you really spoke of how to definitely handle this concern with all convenience.
    It would be my pleasure to get together some more suggestions from your web
    site and come up to offer some others what I have benefited from
    you. Many thanks for your usual great effort.

  3. I needed to create you one very little remark to be
    able to thank you so much again for your stunning views
    you have shown at this time. It was certainly extremely open-handed of you giving publicly what most people could possibly have made available for an electronic book in order to make some profit for themselves,
    specifically considering that you might well have done it in the event you desired.
    The pointers as well worked like the great way to realize that some people have
    a similar dreams similar to my very own to learn many more around this problem.
    I believe there are some more pleasurable opportunities in the future for many who check
    out your blog post.

  4. I feel this is among the most vital information for me. And i am happy
    studying your article. However should commentary on some basic things,
    The web site taste is great, the articles is truly excellent :
    D. Good activity, cheers

Leave a Reply

Your email address will not be published. Required fields are marked *