Learn what the masterminds behind the botnet are doing to earn tons of money

Dec 20, 2011 13:35 GMT  ·  By

The KOOBFACE botnet, that’s known for using pay-per install and pay-per click mechanisms to help the masterminds that run it earn millions, has recently been upgraded with a sophisticated traffic direction system (TDS) that handles all of their traffic referenced to affiliate websites.

According to Trend Micro researchers, the TDS redirects traffic to locations that earn the crooks affiliate cash for each user they fool into accessing the specific sites.

Since Google implemented some security mechanisms that make sure botnets can no longer create fake email accounts that are highly useful for spamming and creating social media profiles, the cybercriminals began relying on Yahoo! Mail to help them with this task.

Once the email accounts are made, the botnet uses them to create other accounts on social networking sites such as Twitter, Tumblr, FriendFeed, FC2, livedoor, So-net, and Blogger.

In the third part of the process, images are collected with the help of a new binary component that gathers pictures of celebrities, cars and anything else that might attract unsuspecting users.

In the next stage, dedicated pieces of malware begin creating blog accounts and retrieve content for them from the C&C server. The posts from these rogue blogs are designed specifically to make sure they’ll pop up among the first results in search engines.

By using an obfuscated JavaScript code that references the botnet’s TDS domain they are able to track the number of visits to each rogue blog post and redirect victims to the affiliated sites that help them earn all that cash.

In 2009 alone, the gang that runs KOOBFACE reportedly earned around $2 million (1.4 million EUR).

To make sure as many Internet users as possible land on their websites, social media sites are also flooded with links. This means that no one should be surprised if all the Facebook posts that promise fabulous prizes are part of this malicious botnet.

“TDS creation definitely provided the KOOBFACE gang a means to more efficiently target celebrity fans, online daters, casual porn surfers, and car enthusiasts. Their TDS allowed them to efficiently handle the increase in the number of unwitting users who land on specially crafted blog posts that lead to various advertising, click-fraud, and other affiliate sites, which all translate to profit,” said Jonell Baltazar, Senior Threat Researcher at Trend Micro.

While the targeted platforms should take active measures against bot-automated interactions, to prevent these operations from occurring, users can rely on security products to mitigate the threats posed by KOOBFACE and other botnets.