Koobface Botnet Rakes in $2 Million in a Year

A new report has pulled the veil away from the Koobface botnet,
exposing how the operation made more than $2 million between June
2009 and June 2010.

The money-making schemes of the Koobface gang were revealed in a sweeping paper (PDF) released
by Information Warfare Monitor (IWM), a joint venture backed by
researchers from the SecDev Group and the Citizen Lab in the Munk
School of Global Affairs at the University Toronto. The report,
entitled "Koobface: Inside a Crimeware Network," lays out information about the botnet’s infrastructure and how
its operators have turned an army of bots into millions of dollars.

"Through the use of pay-per-click and pay-per-install affiliate
programs, Koobface was able to earn over US$2 million between June 2009
and June 2010 by forcing compromised computers to install malicious
software and engage in click fraud," blogged Nart Villeneuve,
author of the report and chief research officer at SecDev. "This, of
course, does not occur in a vacuum but within a malware ecosystem that
sustains and monetizes botnet operations."

In the paper, Villeneuve wrote that IWM had discovered a URL
path on "a well-known Koobface command and control server" and had been
able to download archived copies of the command and control
infrastructure. From there, they were able to gain information about
the malware, code and database used to maintain Koobface, as well as
the gang’s affiliate programs.

"The Koobface operators maintain a server known as the mothership,"
the report states. "The mothership acts as an intermediary between the
PPC (pay-per-click) and rogue security software affiliates and the
compromised victims. This server receives intercepted search queries
from victims’ computers and relays this information to Koobface’s PPC affiliates."

From there, the affiliates provide the advertisement links that are
sent to the user, the report notes. When the user clicks on the
search results, they are sent to one of the provided advertisement
links instead of their intended destination. In addition, Koobface will
receive and display URLs to bogus antivirus software landing pages or
directly push rogue security software binaries to infected computers.

For more, read the eWeek article How the Koobface Botnet Made $2 Million in a Year.