Kaspersky Lab Discovers Koobface Worm Doubles its Number of Command and Control Servers in 48 Hours

12 Mar 2010
Virus News

Kaspersky Lab warns of a surge in Koobface, the highly prolific worm infecting social networking sites. The malicious program targets sites such as Facebook and Twitter and uses compromised legitimate websites as proxies for its main command and control server.

During the past two weeks, the Kaspersky Lab research team has observed the Koobface live C&C servers shut down or cleaned, on average, three times per day. The number dropped steadily from 107 on February 25, to as low as 71 on March 8. Then, in just 48 hours, the number grew from 71 to 142, precisely doubling its total number, which all Koobface-infected computers use to get remote commands and updates.


The Koobface command and control infrastructure can be observed when looking at the evolution of the geographical location of IP addresses used to communicate with the infected computers. The usage of C&C servers is increasing mostly in the United States, growing from 48 percent to 52 percent. Currently, more than half of the Koobface C&C servers are hosted in the United States, far exceeding any other country.

“These latest happenings give us some indications of how the Koobface gang takes care of its infrastructure,” says Stefan Tanase, Senior Regional Researcher, Kaspersky Lab EEMEA. “Based on this, we can conclude that the cybercriminals are constantly monitoring their infrastructure status. They don't want the number of C&C servers to drop too much, as that would mean losing their control over the botnet. When the number of active C&C servers drops to a critical level, they seem to be ready to implement dozens of new ones. The total number of Koobface C&C servers is constantly fluctuating, going from over a hundred to under a hundred and back again in a matter of weeks. It seems that when 100 C&C servers are online, the Koobface gang is relaxed. They also prefer to have their C&C servers distributed across the globe and with different ISPs, in order to make the take-down process harder. However, most of the Koobface C&C servers remain in the United States.”

Kaspersky Lab would like to provide a few tips for users:

  • Be cautious when opening links in suspicious messages, even if the sender is one of your trusted Facebook friends.
  • Use an up-to-date, modern browser: Firefox 3.x, Internet Explorer 8, Google Chrome, Opera 10 etc.
  • Divulge as little personal information as possible. Do not give out your home address, telephone number or other private details.
  • Keep your antivirus software updated to prevent new versions of malware from attacking your computer.

Kaspersky Lab users running any of the Company’s current anti-malware products are fully protected from all known variants of Koobface. Kaspersky Lab’s global team of analysts are keeping a close eye on all threats coming from the social networking space, monitoring the malicious activity and constantly updating the protection customers receive.

About Kaspersky Lab

Kaspersky Lab is the largest antivirus company in Europe. It delivers some of the world’s most immediate protection against IT security threats, including viruses, spyware, crimeware, hackers, phishing, and spam. The company is ranked among the world’s top four vendors of security solutions for endpoint users. Kaspersky Lab products provide superior detection rates and one of the industry’s fastest outbreak response times for home users, SMBs, large enterprises and the mobile computing environment. Kaspersky® technology is also used worldwide inside the products and services of the industry’s leading IT security solution providers. Learn more at www.kaspersky.co.uk. For the latest on antivirus, anti-spyware, anti-spam and other IT security issues and trends, visit www.viruslist.com.