Research team has observed the Koobface live C&C servers shut down or cleaned on an average of three times per day in past two weeks

March 12, 2010

4 Min Read

PRESS RELEASE

Woburn, MA " March 11, 2010 " The shut down and recovery of the Troyak-as command and control center (C&C) for the active Zeus botnet was good news for the whole IT security community. But unfortunately, as some botnets struggle, others stay unaffected. As part of their relentless effort to stay ahead of cybercriminals, Kaspersky Lab's research and analysis team have recently monitored a surge in Koobface C&C servers, the highly prolific worm infesting social networking sites. Koobface targets sites such as Facebook and Twitter, and uses compromised legitimate websites as proxies for its main command and control (C&C) server.

Definition of Command & Control Center: Command and Control centers are servers maintained by the owners of a botnet and used to enable the infected computers to "call back to their masters" and get updates and commands, such as downloading new or more malware, or stealing various computer files or personal information, such as banking accounts.

During the past 2 weeks, the Kaspersky research team has observed the Koobface live C&C servers shut down or cleaned on an average of three times per day. The number dropped steadily from107 on February 25 to as low as 71 on March 8. Then, in just 48 hours, the number grew from 71 to 142, precisely doubling the total number of C&C servers, which all Koobface infected computers use to get remote commands and updates.

Command & Control Centers Hosted in U.S. Increase

Another interesting element currently happening with the Koobface command and control infrastructure can be observed when looking at the evolution of the geographical location of IP addresses used to communicate with the infected computers. The usage of C&C servers hosted in the United States is increasing, growing from 48 percent to 52 percent. Currently, more than half of the Koobface C&C servers are hosted in the United States, far exceeding any other country.

Quote:

Stefan Tanase, Senior Anti-Virus Researcher

Kaspersky Lab

"These latest happenings give us some indications on how the Koobface gang takes care of its infrastructure. Based on this, we can conclude that, the cybercriminals are constantly monitoring their infrastructure status. They don't want the number of their C&C servers to drop too much, as that would mean losing control over the botnet. When the number of running C&C servers drops to a critical level, they seem to be prepared with dozens of new servers. The number of total Koobface C&C servers is always oscillating, going from above to below 100 and back in a matter of weeks. It seems that 100 online C&C servers is the number that is keeping the Koobface gang relaxed. Also, they prefer having their C&C servers distributed all over the world, in different countries with different ISPs, to make the take down process harder. Still, most of the Koobface C&C servers remain in the United States, where most of the Koobface infected computers are located: 40% of the IP addresses that connect to Koobface C&C servers are US based."

Note to users:

Be cautious when opening links in suspicious messages, even if the sender is one of your trusted Facebook friends.

Use an up-to-date, modern browser: Internet Explorer 8, Firefox 3.x, Chrome, Opera 10

Divulge as little personal information as possible. Do not give out your home address, telephone number or other private details.

Keep your antivirus software updated to prevent new versions of malware from attacking your computer.

Kaspersky Lab users running any of the Company's current anti-malware products are fully protected from all known variants of Koobface. Kaspersky Lab's global team of analysts are keeping a close eye on all threats coming from the social networking space, monitoring the malicious activity and constantly updating the customers' protection. Users can download the most recent version of Kaspersky Internet Security or Kaspersky Anti-Virus here: http://usa.kaspersky.com/downloads.

About Kaspersky Lab

Kaspersky Lab is the world's largest privately-held Internet Security company, providing comprehensive protection against all forms of IT threats such as viruses, spyware, hackers and spam. The company's products provide in-depth defense at work, at home and on the road for home and mobile users, small and medium sized businesses and large enterprises, protecting more than 250 million systems around the globe. Kaspersky technology is also incorporated inside the products and services of approximately 100 of the industry's leading IT, networking, communications and applications solution vendors. For further information about the company, please visit http://www.kaspersky.com/. Friend us on Facebook at www.facebook.com/KasperskyLabAmericas. Follow @Kaspersky on Twitter.

For the latest in-depth information on security threat issues and trends, please visit http://www.viruslist.com/.

For the most up-to-date world security news, visit http://www.threatpost.com/. Follow @Threatpost on Twitter.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights