Koobface gang pulls server after Facebook exposes hackers

After Facebook released their identities, the five hackers behind the Koobface worm have apparently taken down their "Mothership" server and have started deleting their social networking accounts.
Written by Emil Protalinski, Contributor

After Facebook exposed the hackers behind the Koobface worm, their central "Command & Control" server, known as the "Mothership," has stopped responding. Furthermore, the five individuals collectively known as the Koobface gang have started deleting their profiles on social networks, which was one of the main sources used to help uncover their identities.

Earlier this week, it came to light that Facebook was planning to expose the hackers by releasing information about the Koobface worm (its name is an anagram of "Facebook") and those behind it. The company did not disappoint. First it declared its social network has been free of the virus for over nine months thanks to more than three years and numerous hours of working closely with industry leaders, the security community, and law enforcement. Then it promised to share its intelligence with the rest of the online security community in the coming weeks in an effort to rid the Web of this virus forever.

"The thing that we are most excited about is that the botnet is down," Ryan McGeehan, manager of Facebook's security response team, told Reuters. "Our decision to become transparent about this has had a 24-hour impact. Only time will tell if it's permanent but it was certainly effective."

The men, sometimes called Ali Baba & 4, have now had their full names and online names revealed: Stanislav Avdeyko (leDed), Alexander Koltysehv (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan). Avdeyko, who is over 20 years older than the other men and has been tied to an infamous spyware program from 2003 called CoolWebSearch, appears to hold a leadership role.

They have become rich from their various online schemes (their Koobface botnet has earned them millions of dollars), and are hiding in plain sight in St. Petersburg, Russia. Despite their identities being known to Facebook, independent computer security researchers, and law enforcement officials, the men live comfortable lives which include luxury vacations to places like Monte Carlo, Bali, and Turkey, according to coordinates, photographs, and messages they themselves have posted online.

While the group has suddenly decided to try covering up its tracks on the Internet, it's too late. Security researchers and law enforcement agencies already have archives of all the information the Koobface gang members shared online.

All of the men have yet to be charged with a crime, nor has any law enforcement agency confirmed they are under investigation; the Koobface gang demonstrates the difficulty Western officials face in apprehending international computer criminals, even when identities are known, and especially when they operate in countries where local authorities won't touch them. When US and European law enforcement agencies don't receive cooperation, they have serious trouble putting together the required evidence.

In fact, the Interior Ministry's K Directorate says that it has not looked into the activities of the Koobface gang because Facebook did not ask it to. "An official request needs to be filed to the K Directorate first, and when it's filed, we will certainly investigate and work on it," Larisa Zhukova, a representative at the cyber unit, said in a statement. "The request must come from the victim, that is Facebook. Because anyone can say or write anything, but it is all unfounded so far. Even if it turns into a criminal case, the investigative unit will decide on possible charges. It is hard to hypothesize on a possible sentence right now." If submitted, a request would undergo a 30-day review, followed by an initial check.

This all started in July 2008, when the Koobface gang sent out invitations to watch a funny or sexy video. If you clicked the link, you were told you needed to update your Adobe Flash plugin, but the download was in fact the Koobface malware. Victims' computers started showing ads for fake antivirus software and their searches were redirected to unscrupulous marketers. The botnet's size was estimated to be somewhere between 400,000 and 800,000 PCs at its height in 2010.

The group made money from people who bought the bogus software and from unsuspecting advertisers: also known as pay-per-click and traffic referral schemes. After installing malware on a user's device, the group was able to redirect the user's traffic and, in some cases, trick the user into paying for fake antivirus software.

Facebook's security team worked non-stop to detect the virus, remediate affected users, and eventually identify the party responsible. Facebook was able to stem the spread of the virus using a variety of tools (including URL blacklist as well as Scan-And-Repair), and then in March 2011 the company's security team performed a technical takedown of the Mothership. Ever since, Facebook has not seen Koobface, and it is "working hard to keep it that way." Now it seems like the Mothership is down for good.

At the start of this week, Koobface was still spreading via other web properties. For nine months Facebook kept Koobface off its service, and this week it managed to get the main server pulled, but the company still "won't declare victory against the virus until its authors are brought to justice." That won't happen for a while, if ever, but Menlo Park is certainly now one step closer. I have contacted Facebook and will update you if I hear back with more information.

Update: Facebook declined to comment on this article.

See also:

Editorial standards