Koobface Spills Water on Researchers’ Efforts to Bring it Down

Though the Hong Kong security experts succeeded in taking down Koobface botnet's key component in the third week of April 2010, it appears that their efforts have gone in vain.

The Honk Kong experts have described this key component as the Koobface File Transfer Protocol (FTP) grabber component. It is a LDPINCH Trojan family variant which generally forwards thieved FTP usernames as well as passwords to a distant Koobface gang-controlled server.

Mainly because of the efforts of the HKCERT (Hong Kong Computer Emergency Response Team Coordination Centre), this Hong Kong situated remote server was successfully shut down. However, the gang quickly shifted their server to a China-based hosting company.

According to a TrendLabs researcher, when some shuts down a botnet server, it is a tendency that bot masters tend to hire bulletproof hosting services, or say, the services of those hosting companies which cannot be easily taken down. This means that apart from it being a business for cyber gangs, it also means that the miscreants are propping up their defenses, as reported by thenewnewinternet.com on April 23, 2010.

Koobface worm circulates through messages on social networking networks such as Twitter and Facebook. Cyber criminals responsible for the intricate malware earn huge bucks by circulating scareware packages onto the systems that have been compromised, and via other cyber scams, that includes information harvesting. Indeed, it has been over a year since the experts first spotted the botnet.

Moreover, even though Koobface gets less push than the malware linked with the high-profile Conficker worm or Google China attacks, experts believe it to be both more complicated and a severe security threat, especially because of the huge database that is associated with the worm, estimated to be above 350 Million users, as per the data revealed by the security firm Sophos in February 2010.

This recent development supports the report by Kaspersky Labs, a Russian Internet security firm. The report says that the C&C servers associated with the notorious Koobface have completely revived during mid to end February 2010. The worm is back on the Facebook, is active, and is waiting to damage users' machine if they click on the wrong link. Kaspersky reported that this rebounding might have the objective to make this battle against the botnet tougher.

Related article: Koobface Worm Still Active on Facebook Through Hacked Accounts

» SPAMfighter News - 5/4/2010