Koobface gang to be exposed by Facebook
The five men behind the Koobface worm, which spreads over Facebook and other social networks, hide in plain sight, living comfortably in St Petersberg, Russia, according to Facebook investigators and other security researchers. The information is revealed in a report in the New York Times; the newspaper says this is the precusor to an announcement by Facebook that it will begin sharing the information it has on the Koobface gang in an attempt to make it harder for them to operate. To date, no criminal charges have been brought against the men and no authorities have confirmed that the men are being investigated.
Sophos has pre-empted the Facebook announcement by publishing "The Koobface malware gang - exposed" by Jan Drömer, an independent researcher, and Dirk Kollberg of SophosLabs, which traces their investigation from identifying command and control servers, through car and kitten adverts, Flickr and adult web sites, to identify the men behind the malware. The investigation took place between October 2009 and February 2010. The information was being shared with various law enforcement agencies who had requested it stay secret, but according to Sophos, news began to leak about one of the men involved, Anton "Krotreal" Korotchenko, so Sophos decided to go public with the information. Both the New York Times report and the Sophos report name the same men: Anton Korotchenko, Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk, and Stanislav Avdeiko.
At its height, Kaspersky Labs estimated that between 400,000 and 800,000 PCs were in the Koobface network in 2010. In November 2010, a UK ISP took down a command and control server of the network, but that failed to blunt its activities. Researchers from SecDev estimated that Koobface's business model of making many small transactions earned the gang around $2 million per year and made them somewhat harder to prosecute, as losses per victim were small. The Koobface gang has also distanced itself from more aggressive bots such as ZeuS; in an "e-card" for security researchers, they said they would never steal credit card or bank details. They have though harvested email, Facebook and IM account passwords.