UPDATE: The Koobface gang is upgrading the command and control infrastructure in response to the positive ROI out of the takedown activities. This of course doesn't mean that enough evidence on "who's who" behind Koobface and a huge percentage of the currently active malware campaigns targeting Web 2.0 properties hasn't been gathered already.

We express our high gratitude to Dancho Danchev (http://ddanchev.blogspot.com) for the help in bug fixing, researches and documentation for our software.
With Koobface worm's Twitter campaign currently in a stand by mode due to the publicity it attracted, as well as the fact that the central redirection points used in the campaign are down, let's assess the current Koobface hosting infrastructure, with an emphasis on UKSERVERS-MNT (AS42831) which stopped responding to abuse notifications as of Sunday.


Since they presumed I don't take lying personally, half an hour later I checked again and the Koobface command and control servers were operational again. The company forwarded the responsibility to the customer and said they closed down the account.
Upon execution the Koobface binary phones back to upr0306 .com/achcheck.php; upr0306 .com/ld/gen.php (78.110.175.15) and attempts to download upload.octopus-multimedia .be/1/pdrv.exe; upload.octopus-multimedia .be/1/pp.10.exe.
UKSERVERS-MNT (AS42831) is also known with its connections to gumblar.cn malware campaigns, as well as having hosted a domain (supernerd.org) part of a Photobucket malvertising campaign.
Related posts:
Dissecting Koobface Worm's Twitter Campaign
Dissecting the Koobface Worm's December Campaign
Dissecting the Latest Koobface Facebook Campaign
The Koobface Gang Mixing Social Engineering Vectors
This post has been reproduced from Dancho Danchev's blog.
Labels: Botnet, Hacking, Information Security, Koobface, Malicious Software, Security