RSS Alerts

Share

More services

Related Links

  • Kaspersky Lab
  • Elsevier Ltd is not responsible for the content of external websites.

Related Stories

  • Now Koobface creates its own malicious web pages
    Koobface - the long-running worm which first appeared 12 months ago - is being customised by hackers to crack security systems on website hosting services, and so allow it to auto-create its own web pages.
  • Koobface rises again - this time it's a Christmas greeting
    Reports are coming in of a new variant of the Koobface worm doing the rounds of PCs connected to the internet. This latest variation of the long-running criminal-driven malware uses a Christmas greeting to spread infections via the Facebook social networking portal.
  • Trend Micro warns that Koobface abuses Google Reader
    Trend Micro has uncovered that the Koobface botnet is now abusing Google Reader, the web-based data aggregation service, routing internet users to infected websites via seemingly innocent Youtube videos.
  • Koobface social networking worm gets a facelift
    Koobface, the first - and arguably the most successful of the social networking worms - is back, having been significantly tweaked by black hat hackers on the internet, reports Kaspersky Lab, the anti-malware and IT security vendor.
  • Anti-virus: a technology update
    Anti-virus software might be the archetypal security product, but with so many high-profile malware attacks – including Stuxnet and Zeus – is it doing its job? Kevin Townsend investigates whether anti-virus software is still relevant

Top 5 Stories

News

Koobface command-and-control servers double in 48 hours

12 March 2010

Kaspersky Lab has reported a massive surge in activity surrounding Koobface, a highly prolific worm that infects social networking sites.

As reported previously by Infosecurity, the malicious Koobface program targets sites such as Facebook, MySpace and Twitter and, through the use of compromised legitimate websites as proxies, gets them to act as command and control (C&C) servers.

Over the last two weeks, Kaspersky's research team say they have seen Koobface live C&C servers shut down or cleaned, on average, three times per day.

The IT security vendor says that the number dropped steadily from 107 on February 25, to 71 on March 8. Then, in just 48 hours, the number grew from 71 to 142 – an exact doubling in the number of C&C servers.

Kaspersky says that the Koobface C&C infrastructure can be observed when looking at the evolution of the geographical location of IP addresses used to communicate with the infected computers.

The firm reports that usage of C&C servers is increasing mostly in the US, growing from 48% to 52%. Currently, Kaspersky adds, more than half of the Koobface C&C servers are hosted in the US, which is more than any other country.

Stefan Tanase, Kaspersky Lab's EEMA senior regional researcher, said that these latest happenings "give us some indications of how the Koobface gang takes care of its infrastructure."

"Based on this, we can conclude that the cybercriminals are constantly monitoring their infrastructure status. They don't want the number of C&C servers to drop too much, as that would mean losing their control over the botnet", he said.

According to Tanase, when the number of active C&C servers drops to a critical level, they seem to be ready to implement dozens of new ones.

"The total number of Koobface C&C servers is constantly fluctuating, going from over a hundred to under a hundred and back again in a matter of weeks. It seems that when 100 C&C servers are online, the Koobface gang is relaxed", he said.

"They also prefer to have their C&C servers distributed across the globe and with different ISPs, in order to make the take-down process harder. However, most of the Koobface C&C servers remain in the US", he added.

As a result of the surge in Koobface activity, Kaspersky Lab is advising internet users to be very cautious when opening links in suspicious messages, even if the sender is one of your trusted Facebook friends.

Web users are also advised to employ a up-to-date, modern browser such as Mozilla Firefox 3.x, Internet Explorer 8, Google Chrome or Opera 10, and reveal as little personal information as possible on the web.

Finally, internet users are suggested to keep their antivirus software updated to prevent new versions of malware from attacking their PC.

This article is featured in:
Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012