Facebook, Security Investigators Unmask Five Men Behind Koobface Crime Ring

Facebook is now Koobface-free, and security researchers have publicized information about the five perpetrators behind the massive botnet.

Security researchers have publicly unmasked five people they believe are behind Koobface, a botnet that spreads on social-networking sites and directs users to Websites selling fake antivirus and other scams.

Facebook has been fighting the malware for the past year and successfully took one of the command-and-control servers controlling the botnet offline last March, the social-networking site proclaimed Jan. 17 on the Facebook Security blog. Facebook has been Koobface-free for more than nine months, according to the post.

"Facebook Security was able to perform a technical takedown of this 'Command & Control' mothership," the company wrote.

Security companies, Facebook and the Federal Bureau of Investigation have been tracking the gang for at least two years, according to The New York Times. The alleged gang members have been identified as Anton Korotchenko, Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk and Stanislav Avdeiko. They are currently operating out of Russia and are active on various social-networking sites, including checking in at its offices on FourSquare and posting on Twitter.

"We've had a picture of one of the guys in a scuba mask on our wall since 2008," said Ryan McGeehan, manager of investigations and incident response at Facebook, told The Times.

Facebook's security team "worked non-stop" to detect the malware, remediate affected users, and identify the responsible parties, Facebook said. The company said it would be sharing the data with the larger security community and law enforcement. "We won't declare victory" until the authors are brought to justice, the company said.

The Koobface Working Group, a team of security researchers from across the industry, had been tracking the group, Graham Cluley, senior technology consultant for Sophos, wrote on the Naked Security blog. A paper had been planned for the Virus Bulletin security conference last year, but the FBI asked the authors to cancel the presentation in order not to interfere with the investigation.

"Up until now, Dr??émer and Kollberg's research has been a closely guarded secret, known only to a select few in the computer security community and shared with various law-enforcement agencies around the globe," Cluley wrote. After independent researcher Dancho Danchev posted details on one of the members on his personal blog on Jan. 9, "the cat was well and truly out of the bag," Cluley said.

Researchers were able to take advantage of a mistake the Koobface criminals made in the way they configured their Apache Web server and Web statistics tool on the C&C server to identify IP addresses and domains used by the attackers, according to Cluley's detailed writeup of the investigation. Researchers were able to also gain access to back-ups, which helped them find images, phone numbers and nicknames that may be used to identify the attackers.

Various Web searches helped uncover email addresses and nicknames associated with the phone numbers and nicknames as well as accounts on other social-networking sites such as Flickr, Twitter, YouTube and LiveJournal, according to Cluley. While nicknames aren't as good as first and last names, they are usually "life-long" once picked, especially in the criminal underground where no one is using their real identity, Cluley said. "There is a need to distinguish between those that offer reliable cyber-crime services and those who don't," Cluley said.

Cluley said the evidence has been turned over to law-enforcement agencies, but that none of the individuals the team had identified have been charged or found guilty of any crimes.

The criminals allegedly made an estimated $2 million between 2009 and 2010 using Koobface's network of infected computers scattered around the world to infect computers and redirecting users to malicious Websites, according to a 2010 report from the Information Warfare Monitor initiative. The money came from referral fees these sites paid for each visitor who came to their site as well as from users who paid to buy fake antivirus software. Koobface is known for targeting users on various social networks, including MySpace, hi5 and Facebook.