gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
76793 Posts in 13502 Topics by 1651 Members - Latest Member: Arnold99 October 04, 2024, 08:32:50 pm
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Researchers take down $2m Koobface botnet
gfx
gfxgfx
 

Author Topic: Researchers take down $2m Koobface botnet  (Read 1579 times)

0 Members and 1 Guest are viewing this topic.

Offline DaBees-Knees

  • WMW Team
  • *****
Researchers take down $2m Koobface botnet
« on: November 15, 2010, 10:39:21 pm »
http://www.pcadvisor.co.uk/news/index.cfm?newsid=3248684

Quote
Command-and-control servers taken offline

Security researchers, working with law enforcement and internet service providers, have disrupted the brains of the Koobface botnet.

On Friday, the computer identified as the command-and-control server used to send instructions to infected Koobface machines was offline. According to Nart Villeneuve the chief research officer with SecDev Group, the server was one of three Koobface systems taken offline Friday by Coreix, a UK Internet service provider. "Those are all on the same network, and they're all inaccessible right now," Villeneuve said Friday evening.

Coreix took down the servers after researchers contacted UK law enforcement, Villeneuve said. The company could not be reached immediately for comment.

The move will disrupt Koobface for a time, but for any real effect, much more will have to happen. Machines that are infected by Koobface connect to intermediary servers - typically web servers that have had their FTP credentials compromised - that then redirect them to the now-downed command and control servers.

The effort is part of a larger operation that first started two weeks ago. Villeneuve and his team have notified the ISPs about the compromised FTP accounts, and they've also tipped off Facebook and Google to hundreds of thousands of Koobface-operated accounts.

The Facebook accounts are used to lure victims to Google Blogspot pages, which in turn redirect them to web servers that contain the malicious Koobface code. Victims are usually promised some interesting video on a page designed to look like YouTube. But first they must download special video software. That software is actually Koobface.

Koobface includes several components, including worm software that automatically tries to infect Facebook friends of the victims, and botnet code that gives the hackers remote control of the infected computer.

Koobface has turned out to be a pretty lucrative business since it first popped up on Facebook in July 2008. In a report published on Friday, Villeneuve says that the botnet made more than $2 million between June 2009 and June 2010.

Researchers found data stored on another central server, called "the mothership", used by the Koobface gang to keep track of accounts. This server sent daily text messages to four Russian mobile numbers each day, reporting the botnet's daily earnings totals. Revenue ranged from a loss of $1,014.11 on Jan. 15 of this year to a profit of $19,928.53 on March 23.

Payments were made to Koobface's operators through the Paymer payment service, similar to eBay's PayPal.

The gang's creators would use their hacked computers to register more Gmail, Blogspot and Facebook accounts and steal FTP (File Transfer Protocol) passwords. They also messed up their victims' search results to trick them into clicking on online ads, generating referral money from advertising companies. More cash came from fake antivirus software that Koobface can sneak onto victims' PCs.

Almost exactly half of Koobface's income - just over $1 million [m] - came from the fake antivirus software.  The other half came from online advertising fees.

Villeneuve doesn't identify the Koobface gang in the report, but he thinks that at least one of the members lives in St. Petersburg.

Interestingly, Koobface's operators could have caused more damage. They could have broken into online bank accounts, or stolen passwords or credit card numbers, but they didn't.

"The Koobface gang had a certain charm and ethical restraint," the report sates. "They communicated with security researchers about their intents and their desire not to do major harm. They limited their crimes to petty fraud, albeit massive in scale and scope. But the scary part is that they could have easily done otherwise."

They may not be so friendly with researchers from now on, however.

Villeneuve has handed over information to the Royal Canadian Mounted Police, the US Federal Bureau of Investigation, and UK authorities. And the researchers have also notified Facebook, Google and various ISPs about the fraudulent and compromised accounts. They have identified 20,000 fake Facebook accounts; 500,000 fake Gmail and Blogspot accounts, and thousands of compromised FTP accounts used by the gang.

They hope that these activities will disrupt the botnet's operations, but Villeneuve has no illusions about Koobface being stopped. "I think that they'll probably start up pretty soon, and they'll probably try to recover as many of their bots as soon as they can," he said.

"Almost exactly half of Koobface's income - just over $1 million came from the fake antivirus software"

"The botnet made more than $2 million between June 2009 and June 2010"

"Koobface's operators could have caused more damage. They could have broken into online bank accounts, or stolen passwords or credit card numbers, but they didn't"


Now you know why you have to be alert and take care. The potential harm of that botnet was enormous.  :gum:



Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Researchers take down $2m Koobface botnet
« Reply #1 on: November 16, 2010, 08:52:50 am »
would be nice if researchers like this used the C&C to send out the 'cure' to disinfect the machines of the botnet.... something potentially as simple as microsofts own 'malicious software removal tool' ...

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Researchers take down $2m Koobface botnet
 

gfxgfx
gfx
©2005-2024 WinMXWorld.com. All Rights Reserved.
SMF 2.0.19 | SMF © 2021, Simple Machines | Terms and Policies
Page created in 0.016 seconds with 24 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!