Earlier this week, after Sophos wrote a detailed report on the people behind Koobface, a family of Malware that takes its name from its original target, the command and control servers used by the gang have halted operations. In addition, the members exposed by the Sophos report have started deleting the breadcrumbs online that allowed researchers to discover them in the first place.
The Sophos researchers worked for more than two years, and on Tuesday, published names, locations, photos, and known aliases, of the five men accused of operating the Koobface botnet. Less than 24-hours later, the C&C servers used by Koobface were down. As mentioned, the botnet takes its name from the original target, Facebook. Arriving on the scene in 2008, Koobface is estimated to operate more than 500,000 bots, each one representing a compromised PC. For those interested, Sophos’ report is here.
It’s believed that the men named by the Sophos report are behind the shutdown, and there is evidence that they are cleaning up after themselves, as various social profiles and other methods used for tracking them are being deleted from the Web.
In one picture, two of the men named in the report checked-in on Foursquare, allowing researchers to not only snag a photo of them, but follow their travel patterns around Russia. The collective data taken from Foursquare can be placed into Google, allowing for a detailed pattern of travel to be checked and referenced. At this stage, the removal of social profiles, and other miscellaneous information from the Web will do little to help the five men named.
Ryan McGeehan, speaking on behalf of Facebook's security team, is quoted by several media outlets as calling the C&C shutdown exciting.
“The thing that we are most excited about is that the botnet is down. Our decision to become transparent about this has had a 24-hour impact. Only time will tell if it's permanent but it was certainly effective,” he said.
Unfortunately, despite the information made available by the research, Russia’s anti-Cybercrime unit, the Interior Ministry's K Directorate, cannot investigate or take any action. This is because Facebook has yet to make a formal complaint.
“An official request needs to be filed to the K Directorate first, and when it's filed, we will certainly investigate and work on it,” a representative told Reuters.
“The request must come from the victim, that is Facebook. Because anyone can say or write anything, but it is all unfounded so far. Even if it turns into a criminal case, the investigative unit will decide on possible charges. It is hard to hypothesize on a possible sentence right now.”