UPDATE: The Koobface gang is upgrading the command and control infrastructure in response to the positive ROI out of the takedown activities. This of course doesn't mean that enough evidence on "who's who" behind Koobface and a huge percentage of the currently active malware campaigns targeting Web 2.0 properties hasn't been gathered already.
We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software.
The ROI of several abuse notices during the weekend, quick response from China's CERT which took care of 126.96.36.199 (thanks Patrick!), and Oc3 Networks & Web Solutions Llc abuse team which took care of the Koobface activity at 188.8.131.52 -- cgpay-re-230609 .com still responds to the IP -- looks pretty positive and managed to increase the opportunity cost for the Koobface gang since it caused them some troubles during the weekend.
With Koobface worm's Twitter campaign currently in a stand by mode due to the publicity it attracted, as well as the fact that the central redirection points used in the campaign are down, let's assess the current Koobface hosting infrastructure, with an emphasis on UKSERVERS-MNT (AS42831) which stopped responding to abuse notifications as of Sunday.
Following the first abuse notice sent to UKSERVERS-MNT the company temporarily closed the account (184.108.40.206) of the "customer", then brought it back online. Asked why, they responded that the "customer" claimed he's been compromised and that he needs to clean up the mess and secure the server. In reality that means "give us some time to smoothly update DNS records and migrate operations now that all of our command and control locations are offline".
Since they presumed I don't take lying personally, half an hour later I checked again and the Koobface command and control servers were operational again. The company forwarded the responsibility to the customer and said they closed down the account.
Upon execution the Koobface binary phones back to upr0306 .com/achcheck.php; upr0306 .com/ld/gen.php (220.127.116.11) and attempts to download upload.octopus-multimedia .be/1/pdrv.exe; upload.octopus-multimedia .be/1/pp.10.exe.
UKSERVERS-MNT (AS42831) is also known with its connections to gumblar.cn malware campaigns, as well as having hosted a domain (supernerd.org) part of a Photobucket malvertising campaign.
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors
This post has been reproduced from Dancho Danchev's blog.