Facebook is now Koobface-free, and security researchers have publicized information about the five perpetrators behind the massive botnet.
Security researchers have
publicly unmasked five people they believe are behind Koobface, a botnet that
spreads on social-networking sites and directs users to Websites selling fake
antivirus and other scams.
Facebook has been fighting
the malware for the past year and successfully took one of the
command-and-control servers controlling the botnet offline last March, the
social-networking site proclaimed Jan. 17 on the Facebook Security blog.
Facebook has been Koobface-free for more than nine months, according to the
"Facebook Security was
able to perform a technical takedown of this 'Command & Control'
mothership," the company wrote.
Security companies, Facebook
and the Federal Bureau of Investigation have been tracking the gang for at
least two years, according to The New
The alleged gang members have been identified as Anton
Korotchenko, Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk and
Stanislav Avdeiko. They are currently operating out of Russia and are active on
various social-networking sites, including checking in at its offices on
FourSquare and posting on Twitter.
"We've had a picture of one
of the guys in a scuba mask on our wall since 2008," said Ryan McGeehan,
manager of investigations and incident response at Facebook, told The Times
Facebook's security team
"worked non-stop" to detect the malware, remediate affected users,
and identify the responsible parties, Facebook said. The company said it would
be sharing the data with the larger security community and law enforcement.
"We won't declare victory" until the authors are brought to justice,
the company said.
The Koobface Working Group,
a team of security researchers from across the industry, had been tracking the
group, Graham Cluley, senior technology consultant for Sophos, wrote on the Naked Security
blog. A paper had been planned for the Virus Bulletin security conference last
year, but the FBI asked the authors to cancel the presentation in order not to interfere
with the investigation.
"Up until now, Dr??Ã©mer
and Kollberg's research has been a closely guarded secret, known only to a
select few in the computer security community and shared with various law-enforcement
agencies around the globe," Cluley wrote. After independent researcher Dancho
posted details on one of the members on his personal blog on Jan.
9, "the cat was well and truly out of the bag," Cluley said.
Researchers were able to
take advantage of a mistake the Koobface criminals made in the way they
configured their Apache Web server and Web statistics tool on the C&C
server to identify IP addresses and domains used by the attackers, according to
Cluley's detailed writeup
of the investigation
. Researchers were able to also gain access to back-ups,
which helped them find images, phone numbers and nicknames that may be used to
identify the attackers.
Various Web searches helped
uncover email addresses and nicknames associated with the phone numbers and
nicknames as well as accounts on other social-networking sites such as Flickr,
Twitter, YouTube and LiveJournal, according to Cluley. While nicknames aren't
as good as first and last names, they are usually "life-long" once
picked, especially in the criminal underground where no one is using their real
identity, Cluley said. "There is a need to distinguish between those that
offer reliable cyber-crime services and those who don't," Cluley said.
Cluley said the evidence has
been turned over to law-enforcement agencies, but that none of the individuals
the team had identified have been charged or found guilty of any crimes.
The criminals allegedly made
an estimated $2 million between 2009 and 2010 using Koobface's network of
infected computers scattered around the world to infect computers and
redirecting users to malicious Websites, according to a 2010 report from the
Information Warfare Monitor initiative. The money came from referral fees these
sites paid for each visitor who came to their site as well as from users who
paid to buy fake antivirus software. Koobface is known for targeting users on
various social networks, including MySpace, hi5 and Facebook.