The Information Warfare Monitor (Citizen Lab, Munk School of Global Affairs, University of Toronto and The SecDev Group, Ottawa) announce the release of Koobface: Inside a Crimeware Network by Nart Villeneuve, with a foreword by Ron Deibert and Rafal Rohozinski.

This report documents the inner workings of Koobface—a botnet that spreads by compromising the computers of users of social networking platforms and placing them under the control of the botnet’s operators for the purpose of monetization.

The full report can be accessed here.

The Globe and Mail coverage of the report can be accessed here.

For press inquiries, please e-mail:


Between April and November 2010, the Information Warfare Monitor conducted an investigation into the operations and monetization strategies of the Koobface botnet. The researchers discovered archived copies of Koobface’s infrastructure on a well-known Koobface command and control server. The data revealed a wealth of information about the inner workings of the botnet, including information on the malware, code, and database used to maintain the botnet as well as its monetization strategies. With this data, the Information Warfare Monitor was able to gain an in-depth understanding of how Koobface worked.

Koobface: Inside a Crimeware Network details Koobface’s propagation strategies, counter-security measures, and business model. The report contributes to the cybercrime literature by shedding light on the malware ecosystem that enables and sustains cybercriminal activity, and by demonstrating that it is possible to leverage the mistakes made by cybercriminals in order to better understand the scope of their operations.

Main Findings:

• Koobface relies on a network of compromised servers that are used to relay connections from compromised computers to the Koobface command and control server. This creates a complex and tiered command and control infrastructure.

• Koobface maintains a system that uses social networking platforms, such as Facebook, to send malicious links. Social networking platforms allow Koobface to exploit the trust that humans have in one another in order to trick users into installing malware and engaging in click fraud.

• Koobface exists within a crime-friendly malware ecosystem that consists of buyers and sellers of the tools and infrastructure required to maintain a botnet. Koobface operators rely on relationships with other botnet operators and cybercriminals to sustain their operations.

• The operators of Koobface have been able to successfully monetize their operations. Through the use of pay-per-click and pay-per-install affiliate programs and forcing compromised computers to install malicious software and engage in click fraud, the Koobface operators earned over US$2 million between June 2009 and June 2010.

• The operators of Koobface are employing technical countermeasures to ensure that the operations of the botnet remain undisrupted. The operators regularly monitor their malicious links to ensure that they have not been flagged as malicious.

• Botnet operators benefit from the fact that their criminal acts spread across multiple jurisdictions. Issues of overlapping jurisdictions and international politics often complicate investigations and hinder law enforcement and takedown efforts. Furthermore, cross-border investigations are at times hampered by a lack of priority and willingness to respond. This is because criminal activity in any one jurisdiction appears minimal while in fact the sum of Koobface’s criminal activities is significant.

About the Information Warfare Monitor

The Information Warfare Monitor is a public-private venture between two Canadian institutions: the Citizen Lab at the Munk School of Global Affairs, University of Toronto and the SecDev Group, an operational think tank based in a Ottawa (Canada). The Information Warfare Monitor is an advanced research activity tracking the emergence of cyberspace as a strategic domain. We are an independent research effort. Our mission is to build and broaden the evidence base available to scholars, policy makers, and others. We aim to educate and inform. The research of the Citizen Lab and the Information Warfare Monitor is supported by the Canada Centre for Global Security Studies (University of Toronto), a generous grant from the John D. and Catherine T. MacArthur Foundation, in-kind and staff contributions from the SecDev Group, and a generous donation of software from Palantir Technologies Inc.