Kaspersky Lab has warned of a surge in Koobface, the highly prolific worm infecting social networking sites. The malicious program targets sites such as Facebook and Twitter and uses compromised legitimate web sites as proxies for its main command and control server.
During the past two weeks, the Kaspersky Lab research team has observed the Koobface live command and control servers shut down or cleaned, on average, three times per day. The number dropped steadily from 107 on 25 February, to as low as 71 on 08 March. Then – in just 48 hours – the number grew from 71 to 142, precisely doubling its total number.
The Koobface command and control infrastructure can be observed when looking at the evolution of the geographical location of IP addresses used to communicate with the infected computers. The usage of command and control servers is increasing mostly in the US, growing from 48% to 52%.
“These latest happenings give us some indications of how the Koobface gang takes care of its infrastructure," says Stefan Tanase, senior regional researcher at Kaspersky Lab EEMEA. “Based on this, we can conclude that the cybercriminals are constantly monitoring their infrastructure status. They do not want the number of command and control servers to drop too much, as that would mean losing their control over the botnet. When the number of active command and control servers drops to a critical level, they seem to be ready to implement dozens of new ones.
"The total number of Koobface command and control servers is constantly fluctuating, going from over 100 to under 100 and back again in a matter of weeks. It seems that when 100 servers are online, the Koobface gang is relaxed. They also prefer to have their command and control servers distributed across the globe and with different ISPs, in order to make the take-down process harder."
Kaspersky Lab provides the following few tips for users:
* Be cautious when opening links in suspicious messages, even if the sender is one of your trusted Facebook friends.
* Use an up-to-date, modern browser: Firefox 3.x, Internet Explorer 8, Google Chrome or Opera 10.
* Divulge as little personal information as possible. Do not give out your home address, telephone number or other private details.
* Keep your antivirus software updated to prevent new versions of malware from attacking your computer.