Facebook to expose hackers behind Koobface worm

Facebook to expose hackers behind Koobface worm

Summary: Facebook plans to name the five hackers behind the Koobface worm, which wreaked havoc on the social network a few years ago. All of the men have yet to be charged for their crimes.


Update: Facebook exposes hackers behind Koobface worm

Facebook today will expose five men believed to be responsible for spreading the notorious Koobface worm (its name is an anagram of "Facebook") on the social network and other services. They have become rich from their various online schemes (their Koobface botnet has earned them millions of dollars), and are hiding in plain sight in St. Petersburg, Russia. Despite their identities being known to Facebook, independent computer security researchers, and law enforcement officials, the men live comfortable lives which include luxury vacations to places like Monte Carlo, Bali, and Turkey, according to coordinates, photographs, and messages they themselves have posted online.

In July 2008, the Koobface gang, as they are often referred to, sent out invitations to watch a funny or sexy video. If you clicked the link, you were told you needed to update your Adobe Flash plugin, but the download was in fact the Koobface malware. Victims' computers started showing ads for fake antivirus software and their searches were redirected to unscrupulous marketers. The group made money from people who bought the bogus software and from unsuspecting advertisers. The security firm Kaspersky Labs estimated the botnet at somewhere between 400,000 and 800,000 PCs at its height in 2010.

Weeks after early versions of the Koobface worm began appearing on Facebook, the company traced the attacks to those responsible. All of the men have yet to be charged with a crime, nor has any law enforcement agency confirmed they are under investigation; the Koobface gang demonstrates the difficulty Western officials face in apprehending international computer criminals, even when identities are known, and especially when they operate in countries where local authorities won't touch them. When US and European law enforcement agencies don't receive cooperation, they have serious trouble putting together the required evidence.

My ZDNet colleague Dancho Danchev, revealed the name of one Koobface gang members as Anton Nikolaevich Korotchenko on his personal blog last week: Who's Behind the Koobface Botnet? - An OSINT Analysis. According to The New York Times, Facebook will today tell security researchers and other Internet companies about the group and how to fight them as it believes a public naming can make it harder for such groups to operate.

The men, sometimes called Ali Baba & 4, have now had their full names and online names revealed: Stanislav Avdeyko (leDed), Alexander Koltysehv (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan). Avdeyko, who is over 20 years older than the other men and has been tied to an infamous spyware program from 2003 called CoolWebSearch, appears to hold a leadership role.

Upon learning of Facebook's plans, security firm Sophos decided to publish its own findings, confirming the five identities. Jan Drömer, a 32-year-old independent researcher in Germany, and Dirk Kollberg of SophosLabs, conducted a detailed investigation into the Koobface gang between early October 2009 and February 2010, but authorities requested that it be kept confidential so they had the necessary time to build a case. Drömer, who unmasked the gang members using only information available publicly on the Internet, even managed to get a password-free view inside Koobface's command-and-control system, known as the "Mothership."

At the end of the seven-page report, the authors of the investigation thank people from different organisations for the joint effort collecting information about Koobface, clearly showing who contributed:

  • Facebook Security Team
  • Gary Warner - UAB Center for Information Assurance and Joint Forensics Research
  • Claudio Guarnieri - iSIGHT Partners
  • Trend Micro Threat Research
  • Infowar Monitor
  • Thomas from CERT-Bund
  • CSIS Security Group A/S
  • and various law enforcement agencies around the globe.

While the Koobface gang has yet to be apprehended, Facebook has managed to fight off the worm, which attacked the service repeatedly until it disappeared in March. After the company tried to dismantle the Mothership, pushed to scrub its service of the worm, and worked to clean users' PCs of infections, the group abandoned the site. Joe Sullivan, chief security officer at Facebook, said his team's goal was to make Facebook unprofitable for the gang.

See also:

Topics: Hardware, Security, Social Enterprise

Emil Protalinski

About Emil Protalinski

Emil is a freelance journalist writing for CNET and ZDNet. Over the years,
he has covered the tech industry for multiple publications, including Ars
Technica, Neowin, and TechSpot.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • RE: Facebook to expose hackers behind Koobface worm

    What really bugs me about this is that our law enforcement can't/won't do anything about these major villians but have no problem ruining a povery stricken single mom who shared a dozen songs that probably weren't worth the 99 cents anyway.
    • RE: Facebook to expose hackers behind Koobface worm

      Anthony E
    • RE: Facebook to expose hackers behind Koobface worm

      @Bill4 nice excuse. don't try to make an illegal activity ok because someone is poverty stricken or because the value of what they stole is low, its not like that mom in your example stole to put food on the table for her kids.

      That said they should throw the book at these guys as well.
    • RE: Facebook to expose hackers behind Koobface worm


      Our law enforcement agencies can't do anything about it beacuse these criminals live in Russia and we have no jurisdiction there. I promise you that if they ever step foot on U.S. soil they'll wish they were a simple single mom busted for sharing music online.

      I do agree with your sentiment, however, when we compare the treatment of said single mom to the virtual prosecutorial immunity enjoyed by wall streek bankers and crooks who engineered a the series of trillion dollar frauds that collapsed the economy in 2008 and have managed to walk away largely unscathed and fabulously wealthy.
  • RE: Facebook to expose hackers behind Koobface worm

    Facebook best be careful they have enough proof, because whoever they name may find a lawyer and sue them for libel and with Facebook's size it is a ripe target for lawsuits.
  • Koobface

    I think it's one of the most effective social engineering tricks in a social networking site. Very effective as it was the first of its kind to trick millions of people that their Flash version is old. I encountered this video when my cousin visited home and can't play the movie, I was lucky I was not hit by this malware as I tried to download the updated version of flash from official Adobe site. The video in facebook didn't play even with the latest version, so I told my cousin the video has problems or facebook server hosting the movie is down. Lucky escape.
  • Facebook and US Government are hot in bed

    Pretty much this. Facebook is anti-freedom and government is in bed with them
    beau parisi