Koobface: Inside a Crimeware Network

The Information Warfare Monitor (Citizen Lab, Munk School of Global Affairs, University of Toronto and the SecDev Group, Ottawa) announce the release of Koobface: Inside a Crimeware Network by Nart Villeneuve, with a foreword by Ron Deibert and Rafal Rohozinski.

The full report can be accessed here (local mirror):

Globe and Mail coverage of the report can be accessed here:

Koobface is a notorious botnet that leverages social networking platforms to propagate. Since, people are much more likely to execute a malicious file if it has been sent to them by someone they know and trust, the Koobface operators, known as “Ali Baba and 40 LLC” have developed a system that that uses social networking platforms such as Facebook to send messages containing malicious links. These links redirect users to false YouTube pages that encourage users to download malicious software masquerading as a video codec or a software upgrade.

In late April 2010, I discovered archive files on a well known Koobface servers that provided an inside look at the operations and monetization strategies of the Koobface botnet. The contents of these archives revealed the malware, code, and database used to maintain Koobface. It also revealed information about Koobface’s affiliate programs and monetization strategies. There are three main issues that have stood out for me throughout this investigation.

The first is the level of Koobface’s financial success. The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud. This, of course, does not occur in a vacuuum but within a malware ecosystem that sustains and monetizes botnet operations.

The second concerns the countermeasures taken by Koobface against the security community.Koobface maintains a banlist of IP addresses that are forbidden from accessing Koobface servers. In addition, Koobface operators carefully monitor whether any of their URLs have been flagged as malicious by bit.ly or Facebook and they also monitor their malware links with the Google Safe Browsing API. This is part of a trend where malware authors check their malicious software against a variety of security products to ensure that there is only limited protection.

Finally, botnets such as Koobface present significant, but not impossible, challenges for law enforcement. Botnet operators leverage geography to their advantage, often exploiting Internet users from all countries but their own. While the total amount of criminal activity that the botnet operators engage in may be significant, the distribution of that criminal activity across multiple jurisdictions means that the criminal activity in any one jurisdiction is minimal. In addition, botnet operators leverage Internet infrastructure around the world, making it difficult to interfere with their operations.

However, botnet operators, such as those behind Koobface, do make mistakes. Information sharing and persistent monitoring can uncover the details of botnet operations. Therefore, it is important that the law enforcement and security community continue to share information and work closely together. An understanding of the inner workings of crimeware networks allows law enforcement to pursue leads and the security community to develop better defenses against malware attacks.

This report was made possible thanks to the guidance and encouragement of Ron Deibert and Rafal Rohozinski, the principal investigators of the Information Warfare Monitor. This report is built upon the research of members of the security community and I would like to thank all those who have documented the operations of Koobface over the years, especially Dancho Danchev and Trend Micro’s Threat Research Team. I would like to acknowledge and thank Chris Davis and Jose Nazario for sharing their knowledge and providing advice. In addition, I would like to thank the RCMP, the FBI, the UK Police, and AusCERT for their assistance. Finally, a special thanks is due to Jan Droemer who discovered the same data and shared his analysis and insights.

For more information on Koobface, see:

The Real Face of KOOBFACE: The Largest Web 2.0 Botnet Explained

“The Heart of KOOBFACE: C&C and Social Network Propagation

Show Me the Money! The Monetization of KOOBFACE

Web 2.0 Botnet Evolution: KOOBFACE Revisited

Koobface Gang Responds to the “10 Things You Didn’t Know About the Koobface Gang Post”

Koobface – the social network trojan


  1. […] 2010 by forcing compromised computers to install malicious software and engage in click fraud,” blogged Nart Villeneuve, author of the report and chief research officer at SecDev. “This, of course, does not occur in a […]

  2. […] compromised computers to install malicious software and engage in click fraud,” blogged Nart Villeneuve, author of the report and chief research officer at SecDev. “This, of course, does not occur […]

Post a comment.