The term "survival of the fittest" seems to be particularly apt when it comes to the Koobface worm. Over the years, the notorious social networking botnet has survived an almost unrelenting media spotlight, serial security improvements and even a massive international takedown, and has thus far managed to stay on its feet. And its adaptability could possibly bode well as it enters the next phase of its existence.
The prolific botnet Koobface, the notorious anagram of Facebook, got its start hijacking social networking accounts via a myriad of social engineering schemes. Often victims would be enticed to install Koobface malware with a link posted to their Facebook wall, promising some kind of entertaining video, but only if they downloaded or upgraded Flash software. In reality, the “Flash software” was the Koobface virus, and once clicked, the malware installed botnet code that gave attackers control of the victim's machine while replicating the attack to everyone on their contact list.
The botnet was thwarted slightly with a collaborative takedown in 2010 between law enforcement and security researchers, which cut about 80 of its 100 central "mothership" servers offline, says Derek Manky, Fortinet senior security strategist. "However, the Koobface controllers were able to leverage the botnet's infrastructure to use other infections they had in hand to regain control of the botnet and establish new control servers."
Then last month, law enforcement uncovered identities of five suspected members of the Koobface gang when one registered a domain with a real e-mail address. The clue ultimately led investigators to a slew of online forums, Websites, social networks and even Google Picassa photographs further revealing the suspected culprits, who were, ironically, announcing their whereabouts by checking in on FourSquare, updating Twitter accounts and taking elaborate vacations to Monte Carlo and Bali, according to the New York Times. However, no arrests have yet been made.
Thanks in part to prolonged media attention as well as enhancements in Facebook’s security systems, the worm has stayed clear of the world’s largest social network for nine months and counting. “Facebook was its main attack vector over the years. However, since they have been in the spotlight, activity has dropped as of late since the perpetrators appear to shed some fear," Manky says.
So what lurks in store for Koobface down the road? With its controllers not yet behind bars, the future of the botnet remains unclear. One possibility is that the Koobface code will be handed over to others, who will repurpose the attack for their own nefarious goals.
“The tech is there. It's just a matter of them either handing the 'keys' to someone else, or the code and framework being leaked in one way or another,” Manky says. “Either way, tech like this will continue to evolve and be a problem in cyberspace.”
You can find out more about the Koobface botnet from Derek Manky, who details the history and tentative future in the following Network World podcast.