Facebook exposes hackers behind Koobface worm

Update: Koobface gang pulls server after Facebook exposes hackers

As expected, Facebook today started to release information about the Koobface worm (its name is an anagram of "Facebook") and those behind it. The update comes almost a year since Facebook's last post about the infamous piece of malware. After more than three years and numerous hours of working closely with industry leaders, the security community, and law enforcement, Facebook has announced its social network has been free of the virus for over nine months.

In July 2008, the Koobface gang, as they are often referred to, sent out invitations to watch a funny or sexy video. If you clicked the link, you were told you needed to update your Adobe Flash plugin, but the download was in fact the Koobface malware. Victims' computers started showing ads for fake antivirus software and their searches were redirected to unscrupulous marketers. The security firm Kaspersky Labs estimated the botnet at somewhere between 400,000 and 800,000 PCs at its height in 2010.

Facebook's security team worked non-stop to detect the virus, remediate affected users, and eventually identify the party responsible. The company says it has been tracking the group in question ever since and has shared this investigation material, as well as information on how to best defend against the virus, with the larger security community. The goal is to enable sites still targeted by Koobface to more adequately protect their users.

The men, sometimes called Ali Baba & 4, have now had their full names and online names revealed: Stanislav Avdeyko (leDed), Alexander Koltysehv (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan). Avdeyko, who is over 20 years older than the other men and has been tied to an infamous spyware program from 2003 called CoolWebSearch, appears to hold a leadership role.

They have become rich from their various online schemes (their Koobface botnet has earned them millions of dollars), and are hiding in plain sight in St. Petersburg, Russia. Despite their identities being known to Facebook, independent computer security researchers, and law enforcement officials, the men live comfortable lives which include luxury vacations to places like Monte Carlo, Bali, and Turkey, according to coordinates, photographs, and messages they themselves have posted online.

All of the men have yet to be charged with a crime, nor has any law enforcement agency confirmed they are under investigation; the Koobface gang demonstrates the difficulty Western officials face in apprehending international computer criminals, even when identities are known, and especially when they operate in countries where local authorities won't touch them. When US and European law enforcement agencies don't receive cooperation, they have serious trouble putting together the required evidence.

The group made money from people who bought the bogus software and from unsuspecting advertisers: also known as pay-per-click and traffic referral schemes. After installing malware on a user's device, the group was able to redirect the user's traffic and, in some cases, trick the user into paying for fake antivirus software. Koobface was able to perform these actions by communicating with a central "Command & Control" server, known as the "Mothership," which controlled the compromised computers.

Facebook was able to stem the spread of the virus using a variety of tools (including URL blacklist as well as Scan-And-Repair), and then in March 2011 the company's security team performed a technical takedown of the Mothership. Ever since, Facebook has not seen Koobface, and it is "working hard to keep it that way."

Unfortunately, Koobface is still spreading via other web properties today. While Facebook has managed to keep Koobface off the social network, the company says it "won't declare victory against the virus until its authors are brought to justice." That's exactly why Facebook is sharing its intelligence with the rest of the online security community in the coming weeks in an effort to rid the Web of this virus forever – the company says it is in the interest of everyone online to work with law enforcement and the larger security community to takedown the gang of five.

"Nothing is more important to us than ensuring the security and safety of our users and their data," a Facebook spokesperson said in a statement. "Thankfully, we aren't in this fight alone; cybersecurity is a shared responsibility for law enforcement, industry and everyone who uses the Internet. We will continue to work with the broad security community and industry leaders, such as McAfee and Microsoft. We will stay firmly committed to our work with law enforcement in stopping these threats and bringing the bad guys to justice. Cybercrime involves and impacts real people, and we praise those in the security community for coming together to expose those who have broken the law. We are confident that our work in identifying those responsible will put a significant dent in their ability to harm those online and lead to a safer internet for all."

See also:

• Facebook virus or account hacked? Here's how to fix it.
• Facebook releases official Guide to Facebook Security
• Experts: Facebook crime is on the rise
• Sex sells: Men fall for Facebook scams more than women
• Researchers invade Facebook with socialbots, grab 250GB of data
• Facebook Immune System checks 25 billion actions every day