Facebook, researchers turn up heat on Koobface gang

Five men are accused of creating the Koobface malware, but they may well be on the run now

Security researchers are worried that the alleged Russia-based authors of Koobface, a piece of malicious software that plagued social networking sites such as Facebook, may slip away before law enforcement can catch them.

Those concerns come after the publication of a trove of information about the five men, said to be based in St. Petersburg, Russia, that security companies, Facebook and the FBI have been carefully tracking for at least two years.

The men are alleged to have created Koobface, a network of infected computers that have been used to drive traffic to websites that sell Web nuisances such as fake antivirus software. They've allegedly made an estimated US$2 million or more since 2008 by infecting computers and directing them to harmful websites, earning a fee for every forced referral.

The information released includes photographs, email addresses, names they used on social networking sites and physical locations -- essentially, enough detail to walk to their offices, knock on the door and call them by name.

The first leak came on Jan. 9 from Dancho Danchev, a security research and writer who posted extensive information on his blog about Anton Korotchenko, one of those accused. Danchev harvested a wealth of information that Korotchenko, who went by the nickname "KrotReal," publicly posted on services such as Twitter and Foursquare. Danchev could not be reached for comment.

Much of the information was already known throughout the security community. A "top secret cabal," known as the Koobface Working Group, had drawn together researchers from a variety of security companies to track the group, said Graham Cluley, senior technology consultant for Sophos.

In fact, Sophos had performed an exhaustive investigation and prepared a paper scheduled for presentation at a Virus Bulletin security conference last year, said Dirk Kollberg, one of its authors. But because the FBI was involved in the investigation, the presentation was canceled.

"We had to wait to not risk giving law enforcement the chance to take action," Kollberg said.

But after Danchev's writeup, Sophos decided to release the report on Tuesday. Kollberg said "it's a shame" the initial information was released, as it could hurt law enforcement investigations.

The New York Times also published an article on the leak on Tuesday, writing that Facebook plans to disclose more information on the group. Facebook's move is unprecedented, as most technology companies rarely reveal such detailed information on people they allege are doing something criminal.

The men have not been charged by Russian authorities. The other four men have been identified as Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk and Stanislav Avdeiko. Korotchenko did not respond to instant messages or emails sent on Monday.

Danchev published more than 35 photographs of Korotchenko, including his ICQ name, phone number, email addresses and nicknames on Flickr, Twitter, Foursquare and Vkontakte.ru, a Russian social networking site.

Kollberg of Sophos had also collected much information on Korotchenko, who was an avid user of Foursquare, a location-based application where people can "check in" to places. Korotchenko frequently did, up to three or four times a day. Kollberg plotted Korotchenko's check-in locations and posts on Twitter into Google Earth.

"It looks awesome," Kollberg said. "You can take a tour and follow his trail."

But the trail may soon grow cold. Since the public release of the information, all of Korotchenko's accounts have vanished. The release may pose a larger problem for the FBI, which Kollberg said Sophos has had contact with since December 2009 on the case.

The FBI does not confirm ongoing investigations. Spokeswoman Jenny Shearer said on Tuesday she could not comment on Koobface. The FBI has agents that specialize in cybercrime investigations in the Ukraine, Romania, Estonia and the Netherlands, but does not have those kinds of agents based in the U.S. Embassy in Moscow, she said.

Russia has been frequently characterized as a hotbed of cybercrime and security researchers have noted that the country is difficult to work with on investigations. Russia is not a party to the Convention on Cybercrime, also known as the Budapest Convention. The treaty, which was opened for signatures in November 2001, sets guidelines for laws and procedures for dealing with Internet crime. Russia has opposed the treaty on grounds that it contains provisions the country alleges violate international law norms and countries' sovereignty.

Cybercriminals can take advantage of the lack of coordination between countries and "hide between the cracks," said David Emm, senior security researcher for the Russian security vendor Kaspersky Lab. "It's great to have joined-up initiatives, but actually if some of the key areas in terms of cybercrime development are not signed up, that leaves a bit of a hole," he said.

The alleged creators of Koobface may take advantage of that and try to melt away or assume other identities now that the heat has been turned up, said Alex Kuzmin, the U.S. director for Group-IB, a security company based in Moscow.

"We certainly think that exposing further information on those individuals involved in the Koobface botnet ... might in fact spoil or harm the ongoing investigation," Kuzmin said.

It is not unprecedented for Russian cybercriminals to occasionally take drastic action to avoid getting caught, including obtaining fake identification and even plastic surgery, Kuzmin said.

Group-IB tracked a man who targeted a Russian e-payments provider called QIWI, Kuzmin said. He was nearly apprehended in 2009 by Russian police, but fled to western Siberia where be obtained fake identification, had plastic surgery and "returned to the cybercriminal underworld as a new man" before eventually being caught, Kuzmin said.

Send news tips and comments to jeremy_kirk@idg.com

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments


James Cook University - Master of Data Science Online Course

Learn more >




Back To Business Guide

Click for more ›

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?