RSS Alerts

Share

More services

Related Links

Related Stories

  • $2m-a-year Koobface network downed after concerted international effort
    The command and control servers for a Koobface botnet swarm, which reportedly raked in $2 million a year for its operators, were closed down late Friday UK time, following a concerted effort by industry experts and law enforcement officials on both sides of the Atlantic.
  • Security vendor downplays Koobface trojan for Mac
    Intego has issued guidance on the Koobface malware currently targeting the Mac OS X, but the firm said the risk to Mac users is currently low because the malware’s code may contain flaws that have rendered it ineffective.
  • Koobface makes (another) comeback
    According to Harley, who is a director of malware intelligence with ESET, Koobface's latest attack modus operandi is that it only infects users the first time the victim accesses the site.
  • Koobface command-and-control servers double in 48 hours
    Kaspersky Lab has reported a massive surge in activity surrounding Koobface, a highly prolific worm that infects social networking sites.
  • Now Koobface creates its own malicious web pages
    Koobface - the long-running worm which first appeared 12 months ago - is being customised by hackers to crack security systems on website hosting services, and so allow it to auto-create its own web pages.

Top 5 Stories

News

Research by Sophos reveals the gang behind Koobface

17 January 2012

Key to a compelling and instructive detective story is the sort of security failing usually exploited by the cybercriminals, but in this instance harnessed by Sophos.

The first task for the investigators, independent researcher Jan Drömer and Dirk Kollberg of SophosLabs, was to locate the Koobface command and control servers. This allowed them to watch for opportunities. Towards the end of 2009 the Koobface gang made their biggest, not their first, security error: they installed the Webalizer statistics tool in a publicly accessible manner. This enabled the investigators to locate the file containing a full daily backup of the Koobface command and control software; and from this they constructed a map of the entire system landscape for the Koobface botnet including one particular IP address that they dubbed the ‘Koobface Mothership’.

Koobface Mothership hosted the domain babkiup.com, which was found to greet users with a service description matching the behavior of the Koobface botnet. ICQ contact details led to two individuals using the nicknames PoMuC and LeDed.

Also in the backup file the investigators found another nickname, KrotReal, and a PHP script used to deliver daily revenue statistics to five Russian mobile phone numbers (although one had been ‘commented out’). These and other clues pointed to what researchers has long suspected: the Koobface gang is Russian and based in St Petersburg. One clue here points to another clue elsewhere, and the investigators began to zero in on specific suspects: Koobface gang member KrotReal being given the name ‘Anton’ on Flickr, for example.

KrotReal also had a Facebook page – ironic since Facebook is the primary target of Koobface (itself an anagram of Facebook). But the real irony of this thoroughly compelling and important detective story is that the investigators used the same online techniques to build a picture of the criminals as the criminals use to build a picture of their targets: the amalgamation of online data, especially from social networks.

Slowly, evidence was pieced together to suggest five specific prime members of the Koobface gang. Sophos names them as Anton Korotchenko, Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk, and Stanislav Avdeiko. The evidence has been handed to law enforcement and, says Graham Cluley, senior technology consultant at Sophos, “we have to wait and see what, if any, action the authorities will take against the Koobface gang.”

This article is featured in:
Internet and Network Security • Malware and Hardware Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012