Sponsored By

How The Koobface Worm Gang Makes Money

Trend Micro report looks at the true motivation behind the widespread malware-laden botnet

Dark Reading Staff

December 22, 2009

3 Min Read

Chances are you know someone who has been hit by Koobface, one of the first successful social networking worms. But there are many faces to Koobface, and many ways its authors make money from it.

New research from Trend Micro details how Koobface's creators monetize the worm through scareware or fake antivirus, click fraud, information-stealing malware, and online dating services. "Unlike in the past when we always thought of malware as one piece of malware, like Melissa or Lovebug, in today's world Koobface is an ongoing criminal enterprise using hundreds and thousands of pieces of code," says David Perry, global director of education for Trend Micro. "That makes it more difficult to describe to the public at large. It's not just one file."

And the Koobface gang uses multiple channels for generating revenue with its malware, which when it infects a machine turns it into one of its bots. "Koobface has been a fantastically successful attack on social networking," Perry says. And its criminal model represents the type of "evil corporation" that runs today's successful malware operations, he says.

While some botnets do their work by downloading other malware, Koobface is the revenue-generating malware for the Koobface botnet gang, according to the report (PDF).

The group is affiliated with five different fake antivirus groups, including Safety Center and Security Tool. Fake antivirus creators have been pushing their phony software via botnets recently using pay-per-install tactics. The fake antivirus software typically is installed on the victim's machine via Koobfaces's pp.12.exe module, which acts as a fake AV downloader.

Click fraud, in which the bad guys basically hijack search results as a way to artificially increase traffic to earn ad revenue, is another way Koobface pays for its creators. The search hijacker basically intercepts a user's request for a URL and redirects the user to a page that registers the click fraud.

Koobface also installs a variant of the Ldpinch information-stealing Trojan that steals user credentials and then either resells them or uses them to hack Websites. "In turn, compromised sites can be rented out or used by the cybercriminals behind KOOBFACE to host phishing sites or malicious scripts," says the Trend Micro report.

The notorious AdultFriendFinder online dating site is also a Koobface vehicle for money-making. When users click on Flash animations of chat windows, they get infected with Koobface: "It seems that AdultFriendFinder is also back to its old ways, serving unsolicited adult-oriented ads using malicious software. In December 2007, AdultFriendFinder has agreed with the Federal Trade Commission (FTC)'s mandate, which barred it from displaying sexually explicit online ads," says the Trend Micro report. "However, as can be gleaned from our research, the site has revived its former practice."

Trend's Perry says he wasn't surprised by the inner workings of the Koobface gang. "This is exactly what we were expecting to see," he says. "The reason we came up with this [research] is that we get the question all the time of, 'What is this doing?' This indicates that Koobface does not just do one thing," he says. "They are using social networking to plant malware and Trojan downloaders on millions of PCs. They then use those to create an enormous botnet, and take portions of that botnet and sell or lease it to other criminals."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights