The Bankwatch

Tracking the consumer evolution of financial services

Detailed analysis of Koobface botnet and its integration with advertising networks

This document noted here contains a detailed description and analysis of the Koobface botnet.  It is run by people in Russia and other countries, and designed to make money.  Koobface is an anagram of Facebook which it levers liberally to encourage clicks and installation of their malware.

Courtesy of Infowar-Monitor pdf Koobface

The operators of Koobface have been able to setup a stable botnet infrastructure that allows them to maintain tens of thousands of compromised computers and profit immensely from PPC and PPI, earning a total of $2,067,682.69 between June 23, 2009 and June 10, 2010.


The document has all the technical details based on their research of the actual files used by the botnet.

In simple terms, targets would receive an invite and link from compromised Facebook accounts.  This link would typically take the unknowing user to a fake youtube page located on a compromised server operated by Koobface.  This click installs the botnet server on users PC and they are now part of the network.

There are files that will locate users FaceBook and other social network credentials, and users Facebook account is now part of the Koobface network.

These affiliate networks pay the Koobface operators for advertisement clicks generated by compromised computers and for installations of fake security software (see figure 9). The monitoring system contains account information for 18 affiliate networks. There are also daily records for earned income organized by affiliates.

The data spans from June 21, 2009 to June 9, 2010, and indicates that a total of $1,994,355.86 was earned.  There were considerable variations in the total amounts earned from affiliates, although not all affiliates were active over the entire time span. Overall, Koobface operators earned roughly the same amount from rogue security software affiliates as they did from PPC affiliates.

Summary and who are the losers ?

Affiliate and Pay per click networks are an important part of internet advertising.  The irony of the Koobface story is that half their income comes from legitimate PPC networks.  Koobface uses techniques such as its installed malware to fake ad clicks.  They make use of links to anonymise the target url. 

The other money they make is from fake ads promoting fake security software and charging for it.

Losers at a high level that I can identify are:

  1. Google, Yahoo and Microsoft – paying out on fraudulent ad clicks
  2. Advertisers – paying out on fraudulent ad clicks
  3. Users – their computer is doing things behind the scenes unknown to them
  4. Users – paying for fake security software

The dollars involved in this operation are relatively small.  That plus the spread of the criminals across Russia and Eastern Europe make policing this almost impossible, although there have been some successes documented in the doc.

Written by Colin Henderson

May 28, 2011 at 20:45

Posted in Uncategorized

%d bloggers like this: