02:51 PM
Connect Directly

How The Koobface Worm Gang Makes Money

Trend Micro report looks at the true motivation behind the widespread malware-laden botnet

Chances are you know someone who has been hit by Koobface, one of the first successful social networking worms. But there are many faces to Koobface, and many ways its authors make money from it.

New research from Trend Micro details how Koobface's creators monetize the worm through scareware or fake antivirus, click fraud, information-stealing malware, and online dating services. "Unlike in the past when we always thought of malware as one piece of malware, like Melissa or Lovebug, in today's world Koobface is an ongoing criminal enterprise using hundreds and thousands of pieces of code," says David Perry, global director of education for Trend Micro. "That makes it more difficult to describe to the public at large. It's not just one file."

And the Koobface gang uses multiple channels for generating revenue with its malware, which when it infects a machine turns it into one of its bots. "Koobface has been a fantastically successful attack on social networking," Perry says. And its criminal model represents the type of "evil corporation" that runs today's successful malware operations, he says.

While some botnets do their work by downloading other malware, Koobface is the revenue-generating malware for the Koobface botnet gang, according to the report (PDF).

The group is affiliated with five different fake antivirus groups, including Safety Center and Security Tool. Fake antivirus creators have been pushing their phony software via botnets recently using pay-per-install tactics. The fake antivirus software typically is installed on the victim's machine via Koobfaces's pp.12.exe module, which acts as a fake AV downloader.

Click fraud, in which the bad guys basically hijack search results as a way to artificially increase traffic to earn ad revenue, is another way Koobface pays for its creators. The search hijacker basically intercepts a user's request for a URL and redirects the user to a page that registers the click fraud.

Koobface also installs a variant of the Ldpinch information-stealing Trojan that steals user credentials and then either resells them or uses them to hack Websites. "In turn, compromised sites can be rented out or used by the cybercriminals behind KOOBFACE to host phishing sites or malicious scripts," says the Trend Micro report.

The notorious AdultFriendFinder online dating site is also a Koobface vehicle for money-making. When users click on Flash animations of chat windows, they get infected with Koobface: "It seems that AdultFriendFinder is also back to its old ways, serving unsolicited adult-oriented ads using malicious software. In December 2007, AdultFriendFinder has agreed with the Federal Trade Commission (FTC)'s mandate, which barred it from displaying sexually explicit online ads," says the Trend Micro report. "However, as can be gleaned from our research, the site has revived its former practice."

Trend's Perry says he wasn't surprised by the inner workings of the Koobface gang. "This is exactly what we were expecting to see," he says. "The reason we came up with this [research] is that we get the question all the time of, 'What is this doing?' This indicates that Koobface does not just do one thing," he says. "They are using social networking to plant malware and Trojan downloaders on millions of PCs. They then use those to create an enormous botnet, and take portions of that botnet and sell or lease it to other criminals."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Intel Says to Stop Applying Problematic Spectre, Meltdown Patch
Kelly Jackson Higgins, Executive Editor at Dark Reading,  1/22/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.