The Tech Herald

Koobface drops offline after key members exposed

by Steve Ragan - Jan 19 2012, 19:10

Koobface drops offline after key members exposed.(IMG:J.Anderson

Earlier this week, after Sophos wrote a detailed report on the people behind Koobface, a family of Malware that takes its name from its original target, the command and control servers used by the gang have halted operations. In addition, the members exposed by the Sophos report have started deleting the breadcrumbs online that allowed researchers to discover them in the first place.

The Sophos researchers worked for more than two years, and on Tuesday, published names, locations, photos, and known aliases, of the five men accused of operating the Koobface botnet. Less than 24-hours later, the C&C servers used by Koobface were down. As mentioned, the botnet takes its name from the original target, Facebook. Arriving on the scene in 2008, Koobface is estimated to operate more than 500,000 bots, each one representing a compromised PC. For those interested, Sophos’ report is here.

It’s believed that the men named by the Sophos report are behind the shutdown, and there is evidence that they are cleaning up after themselves, as various social profiles and other methods used for tracking them are being deleted from the Web.

In one picture, two of the men named in the report checked-in on Foursquare, allowing researchers to not only snag a photo of them, but follow their travel patterns around Russia. The collective data taken from Foursquare can be placed into Google, allowing for a detailed pattern of travel to be checked and referenced. At this stage, the removal of social profiles, and other miscellaneous information from the Web will do little to help the five men named.

Ryan McGeehan, speaking on behalf of Facebook's security team, is quoted by several media outlets as calling the C&C shutdown exciting.

“The thing that we are most excited about is that the botnet is down. Our decision to become transparent about this has had a 24-hour impact. Only time will tell if it's permanent but it was certainly effective,” he said.

Unfortunately, despite the information made available by the research, Russia’s anti-Cybercrime unit, the Interior Ministry's K Directorate, cannot investigate or take any action. This is because Facebook has yet to make a formal complaint.

“An official request needs to be filed to the K Directorate first, and when it's filed, we will certainly investigate and work on it,” a representative told Reuters.

“The request must come from the victim, that is Facebook. Because anyone can say or write anything, but it is all unfounded so far. Even if it turns into a criminal case, the investigative unit will decide on possible charges. It is hard to hypothesize on a possible sentence right now.”

Around the Web

Comment on this Story

comments powered by Disqus


Chevrolet shows off the 2015 Colorado with digital experience

Chevrolet has launched a new website to show buyers all the bells and whistles available on ...

Mazda to debut CX-3 and MX-5 at Los Angeles Auto Show

Mazda has announced plans to premiere the new Mazda CX 3, its new compact crossover SUV, at ...

Ford issues safety recall for 204,448 Ford Edge and Lincoln MKX

Ford has issued a safety recall for 204,448 of the 2007-2008 Ford Edge and Lincoln MKX in No...

Mopar Previews SEMA Custom Rides

We have added a set of pictures released by Mopar ahead of the SEMA Show. Mopar are bri...

Audi R8 Competition – The Most Powerful Production Audi Ever

Audi has revealed details of their new super-fast Audi R8 Competititon — the most powerful a...