Five Koobface botnet suspects named by New York Times

Trojan coins millions for its masters, say researchers


Five suspected masterminds behind the infamous Koobface botnet have been unmasked in a move abetted by Facebook to put the heat on cyber-crimelords.

Koobface, one of the most sophisticated strains of malware developed to date, has been harassing users of Facebook (and to a lesser extent Twitter) for years. Typically the virus writes status updates on victims' Facebook profiles to lure their friends into installing a video codec that is actually a copy of the malware. Once installed on fresh hosts, the virus posts more status updates, thus continuing the infection cycle.

Five suspected members of the Koobface gang were named by The New York Times on Tuesday - a week after security researcher Dancho Danchev publicly outed the team's alleged lynchpin. The NYT reports that Facebook has plans to share more information about the group. It's hoped public disclosure will send a message to the digital underground as well as making it harder for the named individuals and their organisations to operate.

All five suspects are Russians nationals resident in the St Petersburg area.

Facebook security boss Joe Sullivan wrote on the social networking site: "This NY Times article highlights how hard it is for police to take action against cross-border cyber criminals. Facebook fought back hard against this gang and was able to get them to stop attacking Facebook users. According to the story, they are still out there targeting other websites."

Facebook carried out a takedown against the command-and-control system behind Koobface last March, which halted the spread of the worm across its site. However the malware's gang continues to be active in abusing other websites, according to a statement published by the social network this week:

After more than 3 years and numerous hours of working closely with industry leaders, the security community, and law enforcement, we are pleased to announce that Facebook has been free of infections for over 9 months. Today, Koobface is still impacting other web properties and continues to threaten security for Internet users across the globe. While we have been able to keep Koobface off Facebook, we won't declare victory against the virus until its authors are brought to justice. We feel it is the interest of everyone online to work with law enforcement and the larger security community to identify the gang and see the full force of law brought to bear against those who have made millions in ill-gotten gains. To this end, we will be sharing our intelligence with the rest of the online security community in the coming weeks in an effort to rid the Web of this virus forever.

The Facebook statement ends by linking to the NYT article to "find out more about Koobface" but does not itself name the five prime suspects of the case.

The crooks behind Koobface make their money from a combination of promoting scareware and raking in income from click fraud. Estimates of the gang's earnings by various security researchers consistently run into the millions of dollars every year.

Danchev has been tracking the group's activities for much of that time, becoming something of a nemesis to the gang controlling the botnet in the process. According to the researcher, one of his quarry recently made the mistake of using his personal email account to register a domain used by the Koobface worm's command-and-control infrastructure.

Following clues down the rabbit hole

According to Danchev, this particular web address was registered using a Gmail account that was also used to advertise the sale of Egyptian Sphynx kittens in September 2007 under another name, along with a phone number. This number was then traced to an advert for a BMW.

The researcher alleges that the owner of that email account belongs to the Koobface gang, who refer to themselves as 'Ali Baba and the 4'. He lists this bloke's supposed postal address along with his email, Twitter, Flickr, ICQ and the Webmoney account details in a blog post. For good measure, Danchev also published a photograph of the accused man, a picture scraped from one of the suspect's adverts.

"I'm still investigating the other members of the Koobface gang," Danchev told El Reg. "[The alleged member] is the only one who made a simple mistake, allowing me to identify him personally."


Similar investigative techniques were used by security blogger and former Washington Post reporter Brian Krebs, who outed the picture and personal details of the prime suspect in the Rustock botnet case last year.

Elsewhere Sophos released its own research into the Koobface gang, identifying the same alleged perpetrators as the NYT - Sophos has since updated its blog to remove the surnames of the accused, although their full names were given initially. SophosLabs malware expert Dirk Kollberg and independent researcher Jan Droemer compiled the dossier between October 2009 and February 2010, but the authorities requested that it be kept confidential at the time.

"The research involved scouring the internet, searching company records and taking advantage of schoolboy social networking errors made by the suspected criminals, their friends and family. We know the gang's names, their phone numbers, where their office is, what they look like, what cars they drive, even their mobile phone numbers," said Graham Cluley, senior technology consultant at Sophos. "Now we have to wait and see what, if any, action the authorities will take against the Koobface gang."

The Register notes that none of the five men has been charged in connection to the Koobface case, and should be considered innocent until proven guilty. ®


Other stories you might like

  • US-APAC trade deal leaves out Taiwan, military defense not ruled out
    All fun and games until the chip factories are in the crosshairs

    US President Joe Biden has heralded an Indo-Pacific trade deal signed by several nations that do not include Taiwan. At the same time, Biden warned China that America would defend Taiwan from attack; it is home to a critical slice of the global chip industry, after all. 

    The agreement, known as the Indo-Pacific Economic Framework (IPEF), is still in its infancy, with today's announcement enabling the United States and the other 12 participating countries to begin negotiating "rules of the road that ensure [US businesses] can compete in the Indo-Pacific," the White House said. 

    Along with America, other IPEF signatories are Australia, Brunei, India, Indonesia, Japan, South Korea, Malaysia, New Zealand, the Philippines, Singapore, Thailand and Vietnam. Combined, the White House said, the 13 countries participating in the IPEF make up 40 percent of the global economy. 

    Continue reading
  • 381,000-plus Kubernetes API servers 'exposed to internet'
    Firewall isn't a made-up word from the Hackers movie, people

    A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse.

    Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

    "While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface," Shadowserver's team stressed in a write-up. "They also allow for information leakage on version and build."

    Continue reading
  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading

Biting the hand that feeds IT © 1998–2022