The first task for the investigators, independent researcher Jan Drömer and Dirk Kollberg of SophosLabs, was to locate the Koobface command and control servers. This allowed them to watch for opportunities. Towards the end of 2009 the Koobface gang made their biggest, not their first, security error: they installed the Webalizer statistics tool in a publicly accessible manner. This enabled the investigators to locate the file containing a full daily backup of the Koobface command and control software; and from this they constructed a map of the entire system landscape for the Koobface botnet including one particular IP address that they dubbed the ‘Koobface Mothership’.
Koobface Mothership hosted the domain babkiup.com, which was found to greet users with a service description matching the behavior of the Koobface botnet. ICQ contact details led to two individuals using the nicknames PoMuC and LeDed.
Also in the backup file the investigators found another nickname, KrotReal, and a PHP script used to deliver daily revenue statistics to five Russian mobile phone numbers (although one had been ‘commented out’). These and other clues pointed to what researchers has long suspected: the Koobface gang is Russian and based in St Petersburg. One clue here points to another clue elsewhere, and the investigators began to zero in on specific suspects: Koobface gang member KrotReal being given the name ‘Anton’ on Flickr, for example.
KrotReal also had a Facebook page – ironic since Facebook is the primary target of Koobface (itself an anagram of Facebook). But the real irony of this thoroughly compelling and important detective story is that the investigators used the same online techniques to build a picture of the criminals as the criminals use to build a picture of their targets: the amalgamation of online data, especially from social networks.
Slowly, evidence was pieced together to suggest five specific prime members of the Koobface gang. Sophos names them as Anton Korotchenko, Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk, and Stanislav Avdeiko. The evidence has been handed to law enforcement and, says Graham Cluley, senior technology consultant at Sophos, “we have to wait and see what, if any, action the authorities will take against the Koobface gang.”