Feeds

Five Koobface botnet suspects named by New York Times

Trojan coins millions for its masters, say researchers

High performance access to file storage

Five suspected masterminds behind the infamous Koobface botnet have been unmasked in a move abetted by Facebook to put the heat on cyber-crimelords.

Koobface, one of the most sophisticated strains of malware developed to date, has been harassing users of Facebook (and to a lesser extent Twitter) for years. Typically the virus writes status updates on victims' Facebook profiles to lure their friends into installing a video codec that is actually a copy of the malware. Once installed on fresh hosts, the virus posts more status updates, thus continuing the infection cycle.

Five suspected members of the Koobface gang were named by The New York Times on Tuesday - a week after security researcher Dancho Danchev publicly outed the team's alleged lynchpin. The NYT reports that Facebook has plans to share more information about the group. It's hoped public disclosure will send a message to the digital underground as well as making it harder for the named individuals and their organisations to operate.

All five suspects are Russians nationals resident in the St Petersburg area.

Facebook security boss Joe Sullivan wrote on the social networking site: "This NY Times article highlights how hard it is for police to take action against cross-border cyber criminals. Facebook fought back hard against this gang and was able to get them to stop attacking Facebook users. According to the story, they are still out there targeting other websites."

Facebook carried out a takedown against the command-and-control system behind Koobface last March, which halted the spread of the worm across its site. However the malware's gang continues to be active in abusing other websites, according to a statement published by the social network this week:

After more than 3 years and numerous hours of working closely with industry leaders, the security community, and law enforcement, we are pleased to announce that Facebook has been free of infections for over 9 months. Today, Koobface is still impacting other web properties and continues to threaten security for Internet users across the globe. While we have been able to keep Koobface off Facebook, we won't declare victory against the virus until its authors are brought to justice. We feel it is the interest of everyone online to work with law enforcement and the larger security community to identify the gang and see the full force of law brought to bear against those who have made millions in ill-gotten gains. To this end, we will be sharing our intelligence with the rest of the online security community in the coming weeks in an effort to rid the Web of this virus forever.

The Facebook statement ends by linking to the NYT article to "find out more about Koobface" but does not itself name the five prime suspects of the case.

The crooks behind Koobface make their money from a combination of promoting scareware and raking in income from click fraud. Estimates of the gang's earnings by various security researchers consistently run into the millions of dollars every year.

Danchev has been tracking the group's activities for much of that time, becoming something of a nemesis to the gang controlling the botnet in the process. According to the researcher, one of his quarry recently made the mistake of using his personal email account to register a domain used by the Koobface worm's command-and-control infrastructure.

Following clues down the rabbit hole

According to Danchev, this particular web address was registered using a Gmail account that was also used to advertise the sale of Egyptian Sphynx kittens in September 2007 under another name, along with a phone number. This number was then traced to an advert for a BMW.

The researcher alleges that the owner of that email account belongs to the Koobface gang, who refer to themselves as 'Ali Baba and the 4'. He lists this bloke's supposed postal address along with his email, Twitter, Flickr, ICQ and the Webmoney account details in a blog post. For good measure, Danchev also published a photograph of the accused man, a picture scraped from one of the suspect's adverts.

"I'm still investigating the other members of the Koobface gang," Danchev told El Reg. "[The alleged member] is the only one who made a simple mistake, allowing me to identify him personally."


Similar investigative techniques were used by security blogger and former Washington Post reporter Brian Krebs, who outed the picture and personal details of the prime suspect in the Rustock botnet case last year.

Elsewhere Sophos released its own research into the Koobface gang, identifying the same alleged perpetrators as the NYT - Sophos has since updated its blog to remove the surnames of the accused, although their full names were given initially. SophosLabs malware expert Dirk Kollberg and independent researcher Jan Droemer compiled the dossier between October 2009 and February 2010, but the authorities requested that it be kept confidential at the time.

"The research involved scouring the internet, searching company records and taking advantage of schoolboy social networking errors made by the suspected criminals, their friends and family. We know the gang's names, their phone numbers, where their office is, what they look like, what cars they drive, even their mobile phone numbers," said Graham Cluley, senior technology consultant at Sophos. "Now we have to wait and see what, if any, action the authorities will take against the Koobface gang."

The Register notes that none of the five men has been charged in connection to the Koobface case, and should be considered innocent until proven guilty. ®

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.