Attacks/Breaches

12/21/2009
02:51 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How The Koobface Worm Gang Makes Money

Trend Micro report looks at the true motivation behind the widespread malware-laden botnet

Chances are you know someone who has been hit by Koobface, one of the first successful social networking worms. But there are many faces to Koobface, and many ways its authors make money from it.

New research from Trend Micro details how Koobface's creators monetize the worm through scareware or fake antivirus, click fraud, information-stealing malware, and online dating services. "Unlike in the past when we always thought of malware as one piece of malware, like Melissa or Lovebug, in today's world Koobface is an ongoing criminal enterprise using hundreds and thousands of pieces of code," says David Perry, global director of education for Trend Micro. "That makes it more difficult to describe to the public at large. It's not just one file."

And the Koobface gang uses multiple channels for generating revenue with its malware, which when it infects a machine turns it into one of its bots. "Koobface has been a fantastically successful attack on social networking," Perry says. And its criminal model represents the type of "evil corporation" that runs today's successful malware operations, he says.

While some botnets do their work by downloading other malware, Koobface is the revenue-generating malware for the Koobface botnet gang, according to the report (PDF).

The group is affiliated with five different fake antivirus groups, including Safety Center and Security Tool. Fake antivirus creators have been pushing their phony software via botnets recently using pay-per-install tactics. The fake antivirus software typically is installed on the victim's machine via Koobfaces's pp.12.exe module, which acts as a fake AV downloader.

Click fraud, in which the bad guys basically hijack search results as a way to artificially increase traffic to earn ad revenue, is another way Koobface pays for its creators. The search hijacker basically intercepts a user's request for a URL and redirects the user to a page that registers the click fraud.

Koobface also installs a variant of the Ldpinch information-stealing Trojan that steals user credentials and then either resells them or uses them to hack Websites. "In turn, compromised sites can be rented out or used by the cybercriminals behind KOOBFACE to host phishing sites or malicious scripts," says the Trend Micro report.

The notorious AdultFriendFinder online dating site is also a Koobface vehicle for money-making. When users click on Flash animations of chat windows, they get infected with Koobface: "It seems that AdultFriendFinder is also back to its old ways, serving unsolicited adult-oriented ads using malicious software. In December 2007, AdultFriendFinder has agreed with the Federal Trade Commission (FTC)'s mandate, which barred it from displaying sexually explicit online ads," says the Trend Micro report. "However, as can be gleaned from our research, the site has revived its former practice."

Trend's Perry says he wasn't surprised by the inner workings of the Koobface gang. "This is exactly what we were expecting to see," he says. "The reason we came up with this [research] is that we get the question all the time of, 'What is this doing?' This indicates that Koobface does not just do one thing," he says. "They are using social networking to plant malware and Trojan downloaders on millions of PCs. They then use those to create an enormous botnet, and take portions of that botnet and sell or lease it to other criminals."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-5067
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Heap Overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5068
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-5069
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds write vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.