Koobface crooks unmasked?

Facebook and Sophos believe they have the names of the crooks behind the Koobface botnet.

Worm

Facebook and security researchers believe they have the names of the gang behind notorious botnet Koobface.

The social networking giant, which has been one of the main targets of the Koobface criminals, is expected to announced it will start sharing information it has on the group with the security community today, the New York Times reported.

Facebook is planning to name four men who it believes to be involved in the gang behind Koobface, a botnet that Kaspersky estimated had infected between 400,000 and 800,000 machines at its peak.

We wait to see what - if any - actions are taken to bring down the Koobface gang.

Koobface malware has primarily been spread via Facebook.

Investigators claimed the group is working in Russia and in plain sight. Despite the raft of information gathered on them, no prosecutions have been brought.

Leaving tracks uncovered

Sophos has been tracking the group, saying the crooks have made a number of mistakes, leaving digital traces across the internet. One error was not effectively locking people out of command and control (C&C) centre information.

"It turned out that the Apache web server on one of the active Command & Control servers (captchastop.com, 67.212.69.230) had the mod_status module enabled. Having enabled this web server module, any visitor is provided with public access to a live view of requests made to the web server, thereby revealing file and directory names," Sophos explained in a blog post.

"Although this mistake was noted and corrected at the end of October 2009, it was only days later when the gang made yet another mistake by installing the Webalizer statistics tool in a publicly accessible way, allowing for an even better insight into the structures of their Command & Control system."

The Webalizer statistics revealed in late 2009 that a file named "last.tar.bz2" was a full daily backup of Koobface C&C software, which were obtained by Sophos for full analysis.

This meant IP addresses relating to the gang could be obtained. More critically, Sophos was able to attain a PHP script used to submit daily revenue statistics via short text messages to five mobile phones. This meant the researchers had phone numbers to play with as well as nicknames of recipients.

The nicknames Krotreal, LeDed and PoMuC proved particularly helpful. They were used to track down profiles of potential subjects on sites including Facebook, Twitter and Flickr, as well as photos which provided yet more useful information.

Other data acquired from the C&C server indicated one of the suspects worked at a software development company called MobSoft, which was determined to be based in St Petersburg.

One of the company's contacts had a mobile number the same as one of those found in the aforementioned Koobface SMS data.

The PoMuC suspect was linked to a similar company to Mobsoft called Elitum.

Sophos also used information of suspects' family members from social networks to further their investigations.

Another lead was a picture of one of the suspects at a porn conference with his wife.

"The full evidence is in the hands of the law enforcement agencies, and we wait to see what - if any - actions are taken to bring down the Koobface gang."

Facebook had not offered any official comment on the Koobface situation at the time of publication.

Koobface initially targeted Windows PCs but moved to attacking Macs as well in late 2010.

Later that year, the botnet took a serious hit when servers hosting its C&C centre were taken down in the UK.

The main C&C centre was located on servers based at UK hosting company Coreix, which worked with police in removing criminal activity from their systems.

Facebook claimed to have effectively stopped Koobface spreading on the social network last year.

Featured Resources

The definitive guide to warehouse efficiency

Get your free guide to creating efficiencies in the warehouse

Free download

The total economic impact™ of Datto

Cost savings and business benefits of using Datto Integrated Solutions

Download now

Three-step guide to modern customer experience

Support the critical role CX plays in your business

Free download

Ransomware report

The global state of the channel

Download now

Recommended

Four traits of leaders at connected companies
Whitepaper

Four traits of leaders at connected companies

8 Sep 2021
The state of ransomware in retail 2021
Whitepaper

The state of ransomware in retail 2021

23 Aug 2021
FTC scolds Facebook for citing it in researcher ban
social media

FTC scolds Facebook for citing it in researcher ban

6 Aug 2021
Senator wants social media companies held liable for spreading anti-vax lies
social media

Senator wants social media companies held liable for spreading anti-vax lies

23 Jul 2021

Most Popular

How to find RAM speed, size and type
Laptops

How to find RAM speed, size and type

17 Sep 2021
What are the pros and cons of AI?
machine learning

What are the pros and cons of AI?

8 Sep 2021
The technology powering the future of shopping
Technology

The technology powering the future of shopping

16 Sep 2021