Feeds

Five Koobface botnet suspects named by New York Times

Trojan coins millions for its masters, say researchers

The Essential Guide to IT Transformation

Five suspected masterminds behind the infamous Koobface botnet have been unmasked in a move abetted by Facebook to put the heat on cyber-crimelords.

Koobface, one of the most sophisticated strains of malware developed to date, has been harassing users of Facebook (and to a lesser extent Twitter) for years. Typically the virus writes status updates on victims' Facebook profiles to lure their friends into installing a video codec that is actually a copy of the malware. Once installed on fresh hosts, the virus posts more status updates, thus continuing the infection cycle.

Five suspected members of the Koobface gang were named by The New York Times on Tuesday - a week after security researcher Dancho Danchev publicly outed the team's alleged lynchpin. The NYT reports that Facebook has plans to share more information about the group. It's hoped public disclosure will send a message to the digital underground as well as making it harder for the named individuals and their organisations to operate.

All five suspects are Russians nationals resident in the St Petersburg area.

Facebook security boss Joe Sullivan wrote on the social networking site: "This NY Times article highlights how hard it is for police to take action against cross-border cyber criminals. Facebook fought back hard against this gang and was able to get them to stop attacking Facebook users. According to the story, they are still out there targeting other websites."

Facebook carried out a takedown against the command-and-control system behind Koobface last March, which halted the spread of the worm across its site. However the malware's gang continues to be active in abusing other websites, according to a statement published by the social network this week:

After more than 3 years and numerous hours of working closely with industry leaders, the security community, and law enforcement, we are pleased to announce that Facebook has been free of infections for over 9 months. Today, Koobface is still impacting other web properties and continues to threaten security for Internet users across the globe. While we have been able to keep Koobface off Facebook, we won't declare victory against the virus until its authors are brought to justice. We feel it is the interest of everyone online to work with law enforcement and the larger security community to identify the gang and see the full force of law brought to bear against those who have made millions in ill-gotten gains. To this end, we will be sharing our intelligence with the rest of the online security community in the coming weeks in an effort to rid the Web of this virus forever.

The Facebook statement ends by linking to the NYT article to "find out more about Koobface" but does not itself name the five prime suspects of the case.

The crooks behind Koobface make their money from a combination of promoting scareware and raking in income from click fraud. Estimates of the gang's earnings by various security researchers consistently run into the millions of dollars every year.

Danchev has been tracking the group's activities for much of that time, becoming something of a nemesis to the gang controlling the botnet in the process. According to the researcher, one of his quarry recently made the mistake of using his personal email account to register a domain used by the Koobface worm's command-and-control infrastructure.

Following clues down the rabbit hole

According to Danchev, this particular web address was registered using a Gmail account that was also used to advertise the sale of Egyptian Sphynx kittens in September 2007 under another name, along with a phone number. This number was then traced to an advert for a BMW.

The researcher alleges that the owner of that email account belongs to the Koobface gang, who refer to themselves as 'Ali Baba and the 4'. He lists this bloke's supposed postal address along with his email, Twitter, Flickr, ICQ and the Webmoney account details in a blog post. For good measure, Danchev also published a photograph of the accused man, a picture scraped from one of the suspect's adverts.

"I'm still investigating the other members of the Koobface gang," Danchev told El Reg. "[The alleged member] is the only one who made a simple mistake, allowing me to identify him personally."


Similar investigative techniques were used by security blogger and former Washington Post reporter Brian Krebs, who outed the picture and personal details of the prime suspect in the Rustock botnet case last year.

Elsewhere Sophos released its own research into the Koobface gang, identifying the same alleged perpetrators as the NYT - Sophos has since updated its blog to remove the surnames of the accused, although their full names were given initially. SophosLabs malware expert Dirk Kollberg and independent researcher Jan Droemer compiled the dossier between October 2009 and February 2010, but the authorities requested that it be kept confidential at the time.

"The research involved scouring the internet, searching company records and taking advantage of schoolboy social networking errors made by the suspected criminals, their friends and family. We know the gang's names, their phone numbers, where their office is, what they look like, what cars they drive, even their mobile phone numbers," said Graham Cluley, senior technology consultant at Sophos. "Now we have to wait and see what, if any, action the authorities will take against the Koobface gang."

The Register notes that none of the five men has been charged in connection to the Koobface case, and should be considered innocent until proven guilty. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.