A new report has pulled the veil away from the Koobface botnet, exposing how the operation made more than $2 million between June 2009 and June 2010.
The money-making schemes of the Koobface gang were revealed in a sweeping paper (PDF) released by Information Warfare Monitor (IWM), a joint venture backed by researchers from the SecDev Group and the Citizen Lab in the Munk School of Global Affairs at the University Toronto. The report, entitled "Koobface: Inside a Crimeware Network," lays out information about the botnet's infrastructure and how its operators have turned an army of bots into millions of dollars.
"Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud," blogged Nart Villeneuve, author of the report and chief research officer at SecDev. "This, of course, does not occur in a vacuum but within a malware ecosystem that sustains and monetizes botnet operations."
In the paper, Villeneuve wrote that IWM had discovered a URL path on "a well-known Koobface command and control server" and had been able to download archived copies of the command and control infrastructure. From there, they were able to gain information about the malware, code and database used to maintain Koobface, as well as the gang's affiliate programs.
"The Koobface operators maintain a server known as the mothership," the report states. "The mothership acts as an intermediary between the PPC (pay-per-click) and rogue security software affiliates and the compromised victims. This server receives intercepted search queries from victims' computers and relays this information to Koobface's PPC affiliates."
From there, the affiliates provide the advertisement links that are sent to the user, the report notes. When the user clicks on the search results, they are sent to one of the provided advertisement links instead of their intended destination. In addition, Koobface will receive and display URLs to bogus antivirus software landing pages or directly push rogue security software binaries to infected computers.
For more, read the eWeek article How the Koobface Botnet Made $2 Million in a Year.