Busy Days for the Koobface Gang

Koobface is a worm that infects users by using social engineering attacks. It spreads by abusing social networking websites such as Facebook, Twitter, and MySpace, or by employing search engine optimization (SEO) techniques to lure potential victims to malicious sites.

We have been monitoring Koobface for a while now, and here we have some findings based on analyzing data collected over three weeks. These findings shed some light onto the modus operandi of the gang behind Koobface and the effectiveness of its techniques.

The infrastructure used by the Koobface gang is relatively simple: a central redirection server redirects victims to one of the infected bots where the actual social engineering attack takes place. While the central redirection point has been actively targeted by take-down requests, the Koobface gang has so far been quick to replace suspended domain names and blacklisted IPs with new ones. The figure below shows the timeline of some of the IPs and domain names recently used by the gang:

We were able to track the IP addresses of infected bots. In the course of three weeks we observed 17,170 distinct infected IP addresses. While IP addresses alone are not generally a good identifier for infected computers (the IP address may change as the host moves or because of dynamic address reassignments), this tracking gives us a basis to gauge the extent of the infection. The figure below shows the geographic location of these Koobface bots.

The use of SEO techniques by Koobface has only recently come under analysis. For example, a recent post by Finjan’s Daniel Chechik has described how Koobface automatically creates malicious blogs on Blogspot, Google’s blogging platform, to attract and infect victims. During our monitoring we detected 11,337 such malicious blogs. The figure below shows the trend in the creation of new malicious blogs over two weeks in August—notice how several hundreds of new blogs are added each day:

More than a year has passed since Koobface was first detected; yet, this worm and the people behind it are still very active in keeping their infrastructure up to date, finding new means of propagating the infection, and taking advantage of their victims. Symantec detects the Koobface worm as W32.Koobface.A and W32.Koobface.B.

Marco Cova is a PhD student at the University of California, Santa Barbara and a winner of a Symantec Research Labs Graduate Fellowship. Marco completed this research on Koobface during an internship at the Symantec Research Labs Europe.