Five Koobface botnet suspects named by New York Times

Five suspected masterminds behind the infamous Koobface botnet have been unmasked in a move abetted by Facebook to put the heat on cyber-crimelords.

Koobface, one of the most sophisticated strains of malware developed to date, has been harassing users of Facebook (and to a lesser extent Twitter) for years. Typically the virus writes status updates on victims' Facebook profiles to lure their friends into installing a video codec that is actually a copy of the malware. Once installed on fresh hosts, the virus posts more status updates, thus continuing the infection cycle.

Five suspected members of the Koobface gang were named by The New York Times on Tuesday - a week after security researcher Dancho Danchev publicly outed the team's alleged lynchpin. The NYT reports that Facebook has plans to share more information about the group. It's hoped public disclosure will send a message to the digital underground as well as making it harder for the named individuals and their organisations to operate.

All five suspects are Russians nationals resident in the St Petersburg area.

Facebook security boss Joe Sullivan wrote on the social networking site: "This NY Times article highlights how hard it is for police to take action against cross-border cyber criminals. Facebook fought back hard against this gang and was able to get them to stop attacking Facebook users. According to the story, they are still out there targeting other websites."

Facebook carried out a takedown against the command-and-control system behind Koobface last March, which halted the spread of the worm across its site. However the malware's gang continues to be active in abusing other websites, according to a statement published by the social network this week:

After more than 3 years and numerous hours of working closely with industry leaders, the security community, and law enforcement, we are pleased to announce that Facebook has been free of infections for over 9 months. Today, Koobface is still impacting other web properties and continues to threaten security for Internet users across the globe. While we have been able to keep Koobface off Facebook, we won't declare victory against the virus until its authors are brought to justice. We feel it is the interest of everyone online to work with law enforcement and the larger security community to identify the gang and see the full force of law brought to bear against those who have made millions in ill-gotten gains. To this end, we will be sharing our intelligence with the rest of the online security community in the coming weeks in an effort to rid the Web of this virus forever.

The Facebook statement ends by linking to the NYT article to "find out more about Koobface" but does not itself name the five prime suspects of the case.

The crooks behind Koobface make their money from a combination of promoting scareware and raking in income from click fraud. Estimates of the gang's earnings by various security researchers consistently run into the millions of dollars every year.

Danchev has been tracking the group's activities for much of that time, becoming something of a nemesis to the gang controlling the botnet in the process. According to the researcher, one of his quarry recently made the mistake of using his personal email account to register a domain used by the Koobface worm's command-and-control infrastructure.

Following clues down the rabbit hole

According to Danchev, this particular web address was registered using a Gmail account that was also used to advertise the sale of Egyptian Sphynx kittens in September 2007 under another name, along with a phone number. This number was then traced to an advert for a BMW.

The researcher alleges that the owner of that email account belongs to the Koobface gang, who refer to themselves as 'Ali Baba and the 4'. He lists this bloke's supposed postal address along with his email, Twitter, Flickr, ICQ and the Webmoney account details in a blog post. For good measure, Danchev also published a photograph of the accused man, a picture scraped from one of the suspect's adverts.

"I'm still investigating the other members of the Koobface gang," Danchev told El Reg. "[The alleged member] is the only one who made a simple mistake, allowing me to identify him personally."


Similar investigative techniques were used by security blogger and former Washington Post reporter Brian Krebs, who outed the picture and personal details of the prime suspect in the Rustock botnet case last year.

Elsewhere Sophos released its own research into the Koobface gang, identifying the same alleged perpetrators as the NYT - Sophos has since updated its blog to remove the surnames of the accused, although their full names were given initially. SophosLabs malware expert Dirk Kollberg and independent researcher Jan Droemer compiled the dossier between October 2009 and February 2010, but the authorities requested that it be kept confidential at the time.

"The research involved scouring the internet, searching company records and taking advantage of schoolboy social networking errors made by the suspected criminals, their friends and family. We know the gang's names, their phone numbers, where their office is, what they look like, what cars they drive, even their mobile phone numbers," said Graham Cluley, senior technology consultant at Sophos. "Now we have to wait and see what, if any, action the authorities will take against the Koobface gang."

The Register notes that none of the five men has been charged in connection to the Koobface case, and should be considered innocent until proven guilty. ®