Koobface botnet gang exposed by researchers

The suspected ringleaders of the Koobface botnet have been identified and appear to be five men based in Russia, with an office in St Petersburg, according to reports.

The gang suspected of being behind the Koobface botnet, which propagated via social networks, has been identified by researchers. Above: a spoofed Facebook page created by the gang. Image credit: ZDNet.com

The Koobface botnet has earned around $2m (£1.3m) a year since it started in mid-2008, The New York Times reported on Monday. The botnet propagates via social networks like Facebook to hijack users' computers. Security researchers, law enforcement officials and the NYT were able to identify the men due to lax security policies employed in running the botnet, Sophos and Jan Drömer, an independent researcher, said on Tuesday.

"As in real life, a perfect (cyber)crime is something of a myth. The simple truth is that today's cybercrime landscape is aimed at achieving maximum revenue with minimal investment, and that implies a certain level of accepted imperfection," Sophos wrote. "It is this imperfection, paired with a sense of 'criminal arrogance' and an uncontrollable threat environment such as the internet, that ultimately led to the identification of multiple suspects forming the 'Koobface gang'."

Facebook is expected to announce plans to share information about the group with security officials and other companies on Tuesday, in a bid to create an environment that makes it more difficult for them to operate, the NYT said.

Koobface emerged in 2008 and used a variety of social networks, like Facebook and Twitter, to propagate. If people click on a Koobface-poisoned link on these social networks a Trojan virus infects their computer, hijacks it and interferes with web browsing.

All five individuals appear to be living in Russia and run Koobface from an office located in St Petersburg, Sophos said; some have even 'checked in' to the office via the Foursquare social network, the NYT reported.

Security lapses

Sophos researchers were able to identify the botnet runners due poorly implemented security policies such as tying personal phone numbers to the command-and-control systems of Koobface.

"Probably the most stunning information was found within a PHP script used to submit daily revenue statistics via short text messages to five mobile phones," Sophos wrote. "The international prefix +7 identifies these numbers to be Russian telephone numbers."

One number received a weekly text message saying how much Koobface had generated that week; the same phone was later used in personal online adverts for a BMW3 car and some Sphynx kittens.

The telephone numbers, combined with the aliases that the suspects used, let investigators track the hackers down on social networks like Facebook and Russia's vkontakte.ru. Security researchers also used services like NameChk to identify other sites used by the aliases.

Shady nature

Some of the suspects have also been involved in the online adult entertainment industry, Sophos said, noting that the sector shares techniques such as traffic sharing and affiliate models with malware operators.

The simple truth is that today's cybercrime landscape is aimed at achieving maximum revenue with minimal investment.

– Sophos

"The somewhat shady nature of the scene, and the criminals' desire to make even more money fast, might be what makes some slowly cross the line and get involved in more malicious activities," Sophos wrote.

Facebook had not responded to a request for further information at the time of writing.

Sophos has made the full results of its investigation, including the structure of the command-and-control server for the Koobface botnet, available to law enforcement officials.

"The full evidence is in the hands of the law enforcement agencies, and we wait to see what — if any — actions are taken to bring down the Koobface gang," Sophos wrote.