Facebook exposes hackers behind Koobface worm

Facebook exposes hackers behind Koobface worm

Summary: Facebook has confirmed it is releasing as much information as it can about the Koobface worm, which wreaked havoc on the social network a few years ago, and the five hackers behind it.


Update: Koobface gang pulls server after Facebook exposes hackers

As expected, Facebook today started to release information about the Koobface worm (its name is an anagram of "Facebook") and those behind it. The update comes almost a year since Facebook's last post about the infamous piece of malware. After more than three years and numerous hours of working closely with industry leaders, the security community, and law enforcement, Facebook has announced its social network has been free of the virus for over nine months.

In July 2008, the Koobface gang, as they are often referred to, sent out invitations to watch a funny or sexy video. If you clicked the link, you were told you needed to update your Adobe Flash plugin, but the download was in fact the Koobface malware. Victims' computers started showing ads for fake antivirus software and their searches were redirected to unscrupulous marketers. The security firm Kaspersky Labs estimated the botnet at somewhere between 400,000 and 800,000 PCs at its height in 2010.

Facebook's security team worked non-stop to detect the virus, remediate affected users, and eventually identify the party responsible. The company says it has been tracking the group in question ever since and has shared this investigation material, as well as information on how to best defend against the virus, with the larger security community. The goal is to enable sites still targeted by Koobface to more adequately protect their users.

The men, sometimes called Ali Baba & 4, have now had their full names and online names revealed: Stanislav Avdeyko (leDed), Alexander Koltysehv (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan). Avdeyko, who is over 20 years older than the other men and has been tied to an infamous spyware program from 2003 called CoolWebSearch, appears to hold a leadership role.

They have become rich from their various online schemes (their Koobface botnet has earned them millions of dollars), and are hiding in plain sight in St. Petersburg, Russia. Despite their identities being known to Facebook, independent computer security researchers, and law enforcement officials, the men live comfortable lives which include luxury vacations to places like Monte Carlo, Bali, and Turkey, according to coordinates, photographs, and messages they themselves have posted online.

All of the men have yet to be charged with a crime, nor has any law enforcement agency confirmed they are under investigation; the Koobface gang demonstrates the difficulty Western officials face in apprehending international computer criminals, even when identities are known, and especially when they operate in countries where local authorities won't touch them. When US and European law enforcement agencies don't receive cooperation, they have serious trouble putting together the required evidence.

The group made money from people who bought the bogus software and from unsuspecting advertisers: also known as pay-per-click and traffic referral schemes. After installing malware on a user's device, the group was able to redirect the user's traffic and, in some cases, trick the user into paying for fake antivirus software. Koobface was able to perform these actions by communicating with a central "Command & Control" server, known as the "Mothership," which controlled the compromised computers.

Facebook was able to stem the spread of the virus using a variety of tools (including URL blacklist as well as Scan-And-Repair), and then in March 2011 the company's security team performed a technical takedown of the Mothership. Ever since, Facebook has not seen Koobface, and it is "working hard to keep it that way."

Unfortunately, Koobface is still spreading via other web properties today. While Facebook has managed to keep Koobface off the social network, the company says it "won't declare victory against the virus until its authors are brought to justice." That's exactly why Facebook is sharing its intelligence with the rest of the online security community in the coming weeks in an effort to rid the Web of this virus forever – the company says it is in the interest of everyone online to work with law enforcement and the larger security community to takedown the gang of five.

"Nothing is more important to us than ensuring the security and safety of our users and their data," a Facebook spokesperson said in a statement. "Thankfully, we aren't in this fight alone; cybersecurity is a shared responsibility for law enforcement, industry and everyone who uses the Internet. We will continue to work with the broad security community and industry leaders, such as McAfee and Microsoft. We will stay firmly committed to our work with law enforcement in stopping these threats and bringing the bad guys to justice. Cybercrime involves and impacts real people, and we praise those in the security community for coming together to expose those who have broken the law. We are confident that our work in identifying those responsible will put a significant dent in their ability to harm those online and lead to a safer internet for all."

See also:

Topics: Security, Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • um

    • RE: Facebook exposes hackers behind Koobface worm


      Exactly what I was thinking.. Um... Did these names come from HBGary CEO Aaron Barr??? Did he do some of his world famous anal-i-tics again? Is this another hornets nest he thrust his HAPpenis into? LOL!!!
  • RE: Facebook exposes hackers behind Koobface worm

    Kill the Motra Fullers NoW !!!
    • Enslave them. Make them pay for their crimes forever.

      @fiorot ... a salt mine in Siberia would suit the losers perfect.
      Reality Bites
      • RE: Facebook exposes hackers behind Koobface worm

        @Reality Bites Yeah,and once slavery becomes legal, internationally, just how far down the "To Be Enslaved" list will YOUR name be? Higher up on the list than mine, I hope!
      • RE: Facebook exposes hackers behind Koobface worm

        @vizenos So you support these guys?
      • RE: Facebook exposes hackers behind Koobface worm

        [i]@vizenos So you support these guys?[/i]

        No. I don't support ridiculous hyperbole.
  • Did you say what you mean?

    I think this sentence is misphrased: <br> "None of the men have yet to be charged with a crime..."<br><br>That means that not one of them hasn't been charged. But your article is clear that they're free as the Russian breezes.<br><br>Btw, GREAT news and a great story. <br><br>Good to know we can count on Russian law enforcement and courts to be above being influenced by bribery.

    Who are Russian cops and courts persecuting and prosecuting so as to look busy while they're sitting on their duffs letting these guys skate?
    • RE: Facebook exposes hackers behind Koobface worm

      @archetuthus Well, Russia the the big gang who were attacking Apple computers. Maybe someone got paid off on this one.
    • RE: Facebook exposes hackers behind Koobface worm

      Actually, the sentence is correct as written. It is saying that none of the gang members have been charged with a crime as of now, and it also implies that hopefully in the (near) future they will be.
  • They should be Enslaved forever to payback their debt to society.

    Since they owe the world many billions in damages, wasted time etc.
    Reality Bites
  • RE: Facebook exposes hackers behind Koobface worm

    String them up.
  • I would dearly love to see these guys....

    extradited to the USA, tried, and thrown in ANGOLA prison down in Louisiana. I am sick and tired of paying for these guys crimes through higher rates and costs. If we can not get them here, send the CIA over there to execute them. BTW, where is this so called Robin Hood revolutionary group called "Anonymous' when you need them? Here are some real targets.
    • RE: Facebook exposes hackers behind Koobface worm

      @Forensics1 Where is Anonymous? Go to anonyops.com and ask them, yourself.
    • RE: Facebook exposes hackers behind Koobface worm

      @Forensics1 I would rate Anonymous about the same level as these guys.
  • RE: Facebook exposes hackers behind Koobface worm

    Whoa, those guys have some balls using a central server for a botnet :-P
    Well, since they are in Russia I guess they don't really need to worry.

    Besides, I hate people who say the hackers are the only ones at fault. If these people had bothered to think it over before simply clicking a download button, these bot nets would have much less to exploit.
    Lets review:
    Oooh my friend with whom I rarely converse sent me a funny/sexy video? Red flag #1.
    Uh oh, even though I just spent most of my day playing farmville online, I guess I need to update my flash player. Red Flag #2.
    Hmm my computer keeps redirecting me to weird sites and wants me to buy anti-virus software with an extremely generic name made by a company I have never heard of and won't even consider googling. Red flag #3.

    And then people with these issues, such as malware KEEP using their computers, without even thinking about trying to eradicate the problem, or even googling it.
  • For how much I have been inconvenienced over the decades...

    Each one and all at the same time...<br>Pull their fingernails and soak them in warm salty water. <br>THEN when the screaming subsides... <br>Take a sledge hammer and smash every finger. <br>THEN when the screaming subsides... <br>Take that sledge hammer and smash their hands.<br>THEN when the screaming subsides... <br>With that sledge hammer smash their arms. <br>THEN when the screaming subsides... <br>Send them off to a jail until their wounds heal THEN.... <br>Start all over with their toes. <br>BUT DO finish off with a bullet to their heads. We don't need them learning "computer activated voice command". <br>.<br>What? You think this is too HARSH? <br>Ask them whom they screwed! <br>.
    • RE: Facebook exposes hackers behind Koobface worm

      @fm-usa Umm, you really should do something about your anger issue. You are pretty scary!
  • Any hackers up for the challenge?

    Wouldn't it be cool for a change to hear of hackers going after and getting the bad guy?

    Just a thought!
  • Gee... Russians again...

    Imagine that.
    If people wanted to stop this stuff, then I'd suggest Microsoft making available a hosts file that excludes all Russian IPs. Most rank-and-file folk will never need a domain from Russia. Can't get a click-thru virus if your computer can't reach the site.