Following evidence detected last week by Kaspersky Lab that the Koobface botnet is able to refresh itself and double its number of command and control (C&C) servers in a 48-hour period, new research saw an increase over the last weekend.

Umesh Wanve, senior security research engineer at Zscaler, said that on Sunday 14th March, it detected a large number of Koobface worm transactions over the internet and an increase in network traffic of the worm to 122 unique C&C servers.

He said: “Weekends are busy social networking days for users, and the Koobface worm presumably took advantage of this. We saw an increase in unique C&C servers from the last few days and a sudden increase on Sunday.”

A chart showing the number of unique domains used per day for last week went from one to zero between the 8th and 9th, up to 75 on Wednesday 10th, back down to zero on the 11th, 12th and 13th and a surge to 122 on the 14th.

Zscaler also showed that the USA hosts 57 per cent of servers, 13 per cent are in Germany and eight per cent are in the UK.

Wanve said: “Attackers are creating new variants of the Koobface worm to infect the large number of users using social networking sites. They are not only using new domains for their C&C servers, but are also taking the advantage of social networking usage over weekends.

“We have seen increases in social networking usage and social networking attacks over the last years. The Koobface worm has shown that once a user is infected, their social networking account can be used to easily spread malware.”