Was the Koobface Expose the Right Move?

By Stefan TanaseJust as a stand-up comedian carefully places his punch line at the end of the joke, I also usually leave my conclusions for the end of a post. Except for this time. This time, I would like to start with the conclusion: For an ongoing investigation not to be jeopardized, it is extremely important that all information related to those being investigated does not become public.

Stefan Tenase

Just as a stand-up comedian carefully places his punch line at the end of the joke, I also usually leave my conclusions for the end of a post. Except for this time. This time, I would like to start with the conclusion: For an ongoing investigation not to be jeopardized, it is extremely important that all information related to those being investigated does not become public.

When (cyber)criminals suspect they’re being investigated, they become more careful. But when they are sure that someone is after them, they become unpredictable in their actions. Simply hiding, making a run, covering their tracks, buying their freedom, fighting back or any combination of these are just some of the options. I’m sure you know this if you watch the Discovery Channel.

You also know this if you’re actively tracking the latest disclosures around the Koobface botnet.
What happened with Koobface after the identities of its authors and the inner workings of their underground business became public? The obvious happened, of course. They began wiping out all public information about themselves from the Internet: Facebook profiles, Twitter feeds, Foursquare check-ins, Flickr pictures, you name it. They are covering their tracks in the cyber-world as we speak, and only God knows what else they are doing in the real world to protect the most valuable thing they have right now: their freedom.

A disclosure of information that can jeopardize an ongoing investigation is not something which I support, nor something with which I agree.

I’ve heard OSINT (Open-source intelligence) as an argument for this public disclosure. It’s not. OSINT is about using freely available information to produce actionable intelligence, not about making actionable intelligence freely available on the Internet. Was it done to push authorities by creating pressure or to aid them, in any way? I’m not sure the pressure supposed to push law enforcement into actually doing something in this case will be enough to compensate for the fact that the gang behind Koobface are now destroying evidence and going further underground. The public exposure has obviously hurt efforts.

Investigations can take years – many years. Anyone who has actually been involved in such an investigation knows how frustrating it can be. But it doesn’t mean that we should at one point make everything public and hope for the best. Bad guys go to jail after being on trial, not after being on trial by the media.

Therefore I am making a public plea to all security researchers that were, are or will be involved in cybercrime investigations: Don’t publish data that can ruin years of investigative work. Only share information regarding attribution with law enforcement and trusted contacts. Make sure you understand that certain legal procedures need to be followed and they might take time. Be patient and don’t become frustrated. In the end, everything will be ok. If it’s not ok, then it’s not the end.

I would love to be able to end this text in an optimistic note. However, in real life things are not black and white all the time. There are countless other e-crime related activities in which it’s not clear if law enforcement, either alone or with private partners, are working on a case. That often makes it difficult to ‘stand by’ while it seems that nothing is being done. It’s a fine line. What is needed is a better way to determine whether something is being worked across various levels of law enforcement, and what level of participation is occurring with private partners.

*My thanks to Kurt Baumgartner, Andre’ M. DiMino, Costin Raiu, Roel Schouwenberg, Dmitry Tarakanov and countless other researchers for contributing to this article.

Stefan Tanase is a senior security researcher on Kaspersky Lab’s Global Research and Analysis Team.

Suggested articles

Discussion

  • Anonymous on

    so what you're saying is that what the published report on koobface has thwarted an ongoing investigation ? and that the people who wrote it published anyway ?

  • Anonymous on

    "...the gang behind Koobface are now destroying evidence..." I prefer to think of it as cleaning up after themselves.
  • Dan on

    Couldn't the Sophos guys have disclosed their research after the authorities arrest the culprits? It boggles the mind why they triumphantly declare their gumshoe investigation when the suspects are still capable of fleeing and destroying evidence.

  • сердиться женщина on

    Instead of participating in slam book like blogs & Social Media Marketing the researchers at Kaspersky should concentrate on getting their products to work properly as originally intended. The latest variant of their once mighty anti virus suite is "Pure" crap and simply does not work well enough to be trusted! World famous for their inadequate support specialists a quick look at the Kaspersky forums reveals quite a few people unhappy with a product which was obviously rushed out to a trusting public! At least rouge-ware like “Win 7 Security 2012″ stays turned on once properly installed unlike Kaspersky Puke!
  • Anonymous on

    that's OT ^^ and I'm sure you can mention another AV product with very happy and protected (for real) customers

  • Anonymous on

    The only reason that investigations take "years" is that they're conducted by lazy, stupid, incompetent, uneducated, illiterate, untrained and uncreative drones. There's simply no reason to slow up the discovery and disclosure of information in order to accomodate these morons -- that's backwards. What should happen instead is that these idiots should be replaced by people who have a clue. Pretending -- as you foolishly and naively do here -- that sitting on information will make things better -- is a reflection of your profound lack of intelligence. Perhaps you should confine yourself to writing about those few things that your feeble intellect is capable of mastering...and IT security is clearly not one of them.
  • Anonymous on

    I agree with the post above.  If all of these independant researchers had such hard evidence, why should they have to sit on it?  Since the culprits have been identified and thier actions, methods, code, sources, contacts, etc all documented by several parties...then it doesn't matter if they are now "cleaning up" what has already been archived by researchers!!  The "authorities" were taking too much d@mn time...was the world supposed to sit idly by while the Koobfooks make another 2 million???  I don't think that this is much of an issue with "ruining an investigation" but more of an issue with "the authorities didn't get to take credit".

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.