As reported previously by Infosecurity, the malicious Koobface program targets sites such as Facebook, MySpace and Twitter and, through the use of compromised legitimate websites as proxies, gets them to act as command and control (C&C) servers.
Over the last two weeks, Kaspersky's research team say they have seen Koobface live C&C servers shut down or cleaned, on average, three times per day.
The IT security vendor says that the number dropped steadily from 107 on February 25, to 71 on March 8. Then, in just 48 hours, the number grew from 71 to 142 – an exact doubling in the number of C&C servers.
Kaspersky says that the Koobface C&C infrastructure can be observed when looking at the evolution of the geographical location of IP addresses used to communicate with the infected computers.
The firm reports that usage of C&C servers is increasing mostly in the US, growing from 48% to 52%. Currently, Kaspersky adds, more than half of the Koobface C&C servers are hosted in the US, which is more than any other country.
Stefan Tanase, Kaspersky Lab's EEMA senior regional researcher, said that these latest happenings "give us some indications of how the Koobface gang takes care of its infrastructure."
"Based on this, we can conclude that the cybercriminals are constantly monitoring their infrastructure status. They don't want the number of C&C servers to drop too much, as that would mean losing their control over the botnet", he said.
According to Tanase, when the number of active C&C servers drops to a critical level, they seem to be ready to implement dozens of new ones.
"The total number of Koobface C&C servers is constantly fluctuating, going from over a hundred to under a hundred and back again in a matter of weeks. It seems that when 100 C&C servers are online, the Koobface gang is relaxed", he said.
"They also prefer to have their C&C servers distributed across the globe and with different ISPs, in order to make the take-down process harder. However, most of the Koobface C&C servers remain in the US", he added.
As a result of the surge in Koobface activity, Kaspersky Lab is advising internet users to be very cautious when opening links in suspicious messages, even if the sender is one of your trusted Facebook friends.
Web users are also advised to employ a up-to-date, modern browser such as Mozilla Firefox 3.x, Internet Explorer 8, Google Chrome or Opera 10, and reveal as little personal information as possible on the web.
Finally, internet users are suggested to keep their antivirus software updated to prevent new versions of malware from attacking their PC.