The Koobface worm is able to double its number of command and control servers in a 48-hour period.
According to research by Kaspersky Lab, the Koobface servers refreshed itself three times per day on average, with the number of control nodes dropping steadily from 107 on 25th February, to 71 on the 8th March, before doubling to 142 just two days later on 10th March. Following this, the number of nodes grew from 71 to 142.
Stefan Tanase, senior regional researcher at Kaspersky Lab EEMEA, claimed that the detections showed that cyber criminals are constantly monitoring their infrastructure status.
He said: “They do not want the number of command and control servers to drop too much, as that would mean losing their control over the botnet. When the number of active command and control servers drops to a critical level, they seem to be ready to implement dozens of new ones.
“The total number of Koobface servers is constantly fluctuating, going from over a hundred to under a hundred and back again in a matter of weeks. It seems that when 100 command and control servers are online, the Koobface gang is relaxed. They also prefer to have their command and control servers distributed across the globe and with different ISPs, in order to make the take-down process harder.”
Research revealed that most of the Koobface command and control servers remain in the United States, growing from 48 per cent to 52 per cent, far exceeding any other country.