Koobface C&C goes silent after alleged controllers exposed
The Koobface network is apparently down, according to Facebook. Ryan McGeehan, Facebook security official, told Reuters that the company's decision to expose the five men alleged to be behind the malware had had an effect within 24 hours: "The thing that we are most excited about is that the botnet is down." Yesterday, Facebook decided to publish the names of alleged gang members based on details of research carried out in 2009-2010 by two German researchers. One of the researchers works for Security company Sophos, which pre-empted Facebook's announcement by publishing the report.
Sophos's Graham Cluley told The H that the command and control servers are not down, they just haven't sent out any new commands since 08:40 GMT on 17 January. "Now they just reply with 404 errors" said Cluley. He did note though that the five men identified by the Drömer/Kollberg investigation "appear to have been busy deleting their social networking accounts", adding "Clearly, the people identified are aware of the report and are clearing up the various breadcrumbs they have left lying around the net".
In the physical domain, the alleged gang members and their operations are proving somewhat harder to track down. None of the five members of the group could be tracked down by Reuters reporters in St Petersberg. The office address for Mobsoft led to a dilapidated building mostly filled with shipping companies who had not heard of the company. Mobsoft's legal address led to an apartment complex where there was no response and Mobsoft phone numbers "yielded no valid leads".