The Evolution of Koobface

courtesy of jaylopez @

The Koobface botnet, which first hit Facebook and MySpace in July 2008 and convinces victims to download malware that can steal credit card data, is a textbook example of the creativity and ingenuity of cybercriminals. As methods of detecting and blocking the Koobface malware were developed, and as new ways to monetize the botnet were needed, Koobface’s creators became adept at adapting their invention to new scenarios. We can expect similar levels of innovation from today’s cybercriminals.

Below is a chronology of Koobface’s most significant milestones from the paper Koobface: The Evolution of the Social Botnet, co-authored by Cisco security researchers and researchers from the University of Alabama at Birmingham.

  • August 2008, spoofs URLs: In the first week after Koobface launched, the URLs in the messages delivered to potential victims were modified to appear innocuous. For instance, the prefix of the URL might have been changed to begin with to make users think the link led to Google. In addition, the domains were part of a “Fast Flux” network, in which domain name system (DNS) settings are rotated so that the IP address resolving to the hostname is changed, which complicates investigations.
  • September 2008, reroutes traffic: Koobface adds a new executable, tinyproxy.exe, which allows Koobface operators to route traffic through their own nodes instead of another Fast Flux infrastructure. This meant they removed their dependence on a third-party infrastructure, saving them money and giving them more control over their “product.”
  • December 2008, expands to other sites: Koobface expands the sites on which it could operate to other social networks, including Bebo and Friendster. The list expanded again in March 2009 to include such sites as LiveJournal, NetLog, and
  • March 2009, adds spam as delivery vehicle: Koobface begins to be delivered via spam campaigns instead of just social networks.
  • July 2009, shows up on Twitter: Koobface surfaces on Twitter, no doubt because the shortened URLs commonly posted by Twitter users would mask the offending Koobface URLs.
  • July 2009, changes DNS servers: Koobface adds a DNS changer, which changes the victim’s DNS server to one controlled by the criminal, allowing them to hijack any hostname they want. For example, if a victim tried to log in to their online bank account, they could be redirected to the scammer’s own server.
  • August 2009, redirects search engine results: Koobface adds a new way to monetize itself by adding search engine result redirection on infected computers. Victims were redirected to various ad affiliate sites before finally landing on the sought after page.
  • August 2009, adds reputation hijacking: Koobface avoids “bad reputation” filters by using sites with a good reputation, such as, as its advertised destination so that users felt comfortable clicking on the link. However, these pages were created by the malware itself.
  • December 2009, creates fake malware warnings: Koobface creates a warning about downloading malware that appeared to originate from Facebook itself — but the link for the so-called “Facebook Security Update” executed the Koobface malware.
  • December 2009, hacks CAPTCHA protections: Social networking sites add CAPTCHA tests for users who post URLs. Koobface dodges this protection by sending the CAPTCHA to other computers that are part of the botnet, and directing an unsuspecting user to enter the CAPTCHA information to prevent their Microsoft Windows operating system from shutting down.

Excerpted and adapted from the Cisco 2010 Annual Security Report

In this article

Join the Conversation