Koobface Gang Apparently Hiding in Plain Sight

The individuals allegedly responsible for wreaking havoc on Facebook with the infamous Koobface botnet are living lavishly, blatantly flaunting their ill-gotten gains and taking little precautions to cover their tracks. Their locations, travels, business ventures, social media personas, Internet and real-life identities are apparently well-documented, but no one seems to be able to do anything about it.

KoobfaceThe individuals allegedly responsible for wreaking havoc on Facebook with the infamous Koobface botnet are living lavishly, blatantly flaunting their ill-gotten gains and taking little precautions to cover their tracks. Their locations, travels, business ventures, social media personas, Internet and real-life identities are apparently well-documented, but no one seems to be able to do anything about it.

According to a report published yesterday in the New York Times, Facebook has been aware of the identities of some of the men responsible for years, and intends on making that information public. However, this appears to be a scenario where Facebook is about to make public what many already know.

Accordingly, in a long report, Sophos claims that the gang operates out of a rented office space on the top floor of a St. Petersburg, Russia, building and goes on family vacations together, presumably using money from their online exploits.

Independent researcher Jan Droemer and Sophos’s Dirk Kollberg identified a Koobface command and control server. The Koobface gang made many mistakes, two of particular note: First, they enabled the mod_status module on the C&C web server, which granted any visitor public access to a live view of requests to the web server, thus revealing file and directory names. Second, after the gang corrected their first error, they installed the Webalizer statistics tool in a publicly accessible way, which allowed for greater insight into the C&C system structure, especially after Droemer and Kollberg discovered the daily backup file.

They quickly discovered a Prague-based IP address on which the “Koobface Mothership” is hosted. This so-called mothership eventually led the researchers to the apparent identities of the Koobface Gang. The Sophos report provides a detailed account of how Droemer and Kollberg deduced much of the information about the Koobface operators.

The Koobface Gang refers to itself as “Ali Baba & 4.” Analysis of a PHP script used to send text messages with daily revenue statistics to five mobile phones leads to the conclusion that Koobface is or once was operated by five individuals. Further analysis of the backups led them to the location of the St. Petersburg office building the group is believed to operate out of and the Internet personas of three of its members: Krotreal, LeDed, and PoMuC. Researchers were also made aware of the often referenced company MobSoft LLC. After a bit of research, the researchers extracted more associated identities, that of Alexander K., operating under the alias “Floppy” and Svyatoslav P., who also operated as “psviat” and other nicknames.

From there, the researchers cross-referenced those nicknames with the endless array of Web 2.0 websites and found the nicknames could be easily linked to robust and accessible social media identities which could then be connected to the real-life identities of the Koobface Gang, their family, friends, and significant others. The Koobface Gang themselves did a decent job of locking down their social media profiles, but, unfortunately, the same cannot be said of their friends and family, through whom the researchers were able to access a slew of information on the alleged.

Citing Facebook’s research, the New York Times names the alleged operators of Koobface and Sophos’s report names the same men and goes one step further to describe their association with and the roles they played within the Koobface operation.

Suggested articles