Pursuing Koobface and ‘Partnerka’ — Krebs on Security.
Brian Krebs highlights Nart Villeneuve’s detailed analysis of Koobface. This is the most detailed analysis I’ve read about how one type of botnet thrives.
The entrée point for Koobface is almost irresistible: a link sent from a fake “friend” prompting a visit to a video site that purportedly reveals the recipient captured naked from a hidden web cam. Who wouldn’t follow that link? But for the hapless recipient, that one click leads down a Kafka-esque rabbit hole of viruses and Trojan horses, and straight into the tentacles of the Koobface network.
In a sense, Koobface, while malware, is the opposite of Zeus because the value per illicit transaction is very low, while Zeus’s transaction value is very high.
The operators of Koobface have been able to successfully monetize their operations. Through the use of payper-click and pay-per-install affiliate programs, Koobface was able to earn over US$2 million between June 2009 and June 2010 by forcing compromised computers to install malicious software and engage in click fraud.
Without a victim, particularly a complainant, it is almost impossible for a police force to justify the resources to investigate a case like Koobface. Police officers ask: what’s the crime? Prosecutors ask: what or whom am I supposed to prosecute? In the case of Koobface, it is almost as if the system were purposefully designed to fall between the cracks of both questions.
New preventive and detective controls are needed to combat this new generation of malware. Think about this:
A recent study by Bell Canada suggested that CA$100 billion out of $174 billion of revenue transiting Canada’s telecommunications infrastructure is “at risk.” The same operator measured over 80,000 “zero day” attacks per day targeting computers on its network — meaning, attacks that are so new the security companies have yet to
register them.
Next-generation defense-in-depth includes both preventive and detective controls.
Preventive network security controls must include (1) next generation firewalls which combine application-level traffic classification and policy management with intrusion prevention, and (2) 0-day malware prevention which is highly accurate and has a low false positive rate.
Detective controls must include (1) a Log/SIEM solution which uses extensive contextual information to generate actionable intelligence , and (2) a cloud-based botnet detection service which can alert you to compromised devices on your network.