Koobface worm doubles its number of command and control servers

The shut down and recovery of the Troyak-as command and control center (C&C) for the active Zeus botnet was good news for the whole IT security community.

Unfortunately, as some botnets struggle, others stay unaffected. As part of their relentless effort to stay ahead of cybercriminals, Kaspersky Lab’s research and analysis team have recently monitored a surge in Koobface C&C servers, the highly prolific worm infesting social networking sites. Koobface targets sites such as Facebook and Twitter, and uses compromised legitimate websites as proxies for its main C&C server.

Definition of Command & Control Center: Command and Control centers are servers maintained by the owners of a botnet and used to enable the infected computers to “call back to their masters” and get updates and commands, such as downloading new or more malware, or stealing various computer files or personal information, such as banking accounts.

During the past 2 weeks, the Kaspersky research team has observed the Koobface live C&C servers shut down or cleaned on an average of three times per day. The number dropped steadily from107 on February 25 to as low as 71 on March 8. Then, in just 48 hours, the number grew from 71 to 142, precisely doubling the total number of C&C servers, which all Koobface infected computers use to get remote commands and updates.

Another interesting element currently happening with the Koobface command and control infrastructure can be observed when looking at the evolution of the geographical location of IP addresses used to communicate with the infected computers.

The usage of C&C servers hosted in the United States is increasing, growing from 48 percent to 52 percent. Currently, more than half of the Koobface C&C servers are hosted in the United States, far exceeding any other country.

1. United States 52.23%
2. Germany 8.48%
3. Canada 4.46%
4. Great Britain 3.57%
5. Netherlands 3.13%
6. Denmark 2.68%
7. Turkey 2.68%
8. Belgium 2.68%
9. Austria 2.23%
10. Switzerland 1.79%

Stefan Tanase, Senior Anti-Virus Researcher Kaspersky Lab, comments: “These latest happenings give us some indications on how the Koobface gang takes care of its infrastructure. Based on this, we can conclude that, the cybercriminals are constantly monitoring their infrastructure status. They don’t want the number of their C&C servers to drop too much, as that would mean losing control over the botnet. When the number of running C&C servers drops to a critical level, they seem to be prepared with dozens of new servers. The number of total Koobface C&C servers is always oscillating, going from above to below 100 and back in a matter of weeks. It seems that 100 online C&C servers is the number that is keeping the Koobface gang relaxed. Also, they prefer having their C&C servers distributed all over the world, in different countries with different ISPs, to make the take down process harder. Still, most of the Koobface C&C servers remain in the United States, where most of the Koobface infected computers are located: 40% of the IP addresses that connect to Koobface C&C servers are US based.”




Share this