Facebook, researchers turn up heat on Koobface gang

Five men are accused of creating the Koobface malware, but they may well be on the run now

Security researchers are worried that the alleged Russia-based authors of Koobface, a piece of malicious software that plagued social networking sites such as Facebook, may slip away before law enforcement can catch them.

Those concerns come after the publication of a trove of information about the five men, said to be based in St. Petersburg, Russia, that security companies, Facebook and the FBI have been carefully tracking for at least two years.

The men are alleged to have created Koobface, a network of infected computers that have been used to drive traffic to websites that sell Web nuisances such as fake antivirus software. They've allegedly made an estimated US$2 million or more since 2008 by infecting computers and directing them to harmful websites, earning a fee for every forced referral.

The information released includes photographs, email addresses, names they used on social networking sites and physical locations -- essentially, enough detail to walk to their offices, knock on the door and call them by name.

The first leak came on Jan. 9 from Dancho Danchev, a security research and writer who posted extensive information on his blog about Anton Korotchenko, one of those accused. Danchev harvested a wealth of information that Korotchenko, who went by the nickname "KrotReal," publicly posted on services such as Twitter and Foursquare. Danchev could not be reached for comment.

Much of the information was already known throughout the security community. A "top secret cabal," known as the Koobface Working Group, had drawn together researchers from a variety of security companies to track the group, said Graham Cluley, senior technology consultant for Sophos.

In fact, Sophos had performed an exhaustive investigation and prepared a paper scheduled for presentation at a Virus Bulletin security conference last year, said Dirk Kollberg, one of its authors. But because the FBI was involved in the investigation, the presentation was canceled.

"We had to wait to not risk giving law enforcement the chance to take action," Kollberg said.

But after Danchev's writeup, Sophos decided to release the report on Tuesday. Kollberg said "it's a shame" the initial information was released, as it could hurt law enforcement investigations.

The New York Times also published an article on the leak on Tuesday, writing that Facebook plans to disclose more information on the group. Facebook's move is unprecedented, as most technology companies rarely reveal such detailed information on people they allege are doing something criminal.

The men have not been charged by Russian authorities. The other four men have been identified as Alexander Koltyshev, Roman Koturbach, Syvatoslav Polinchuk and Stanislav Avdeiko. Korotchenko did not respond to instant messages or emails sent on Monday.

Danchev published more than 35 photographs of Korotchenko, including his ICQ name, phone number, email addresses and nicknames on Flickr, Twitter, Foursquare and Vkontakte.ru, a Russian social networking site.

Kollberg of Sophos had also collected much information on Korotchenko, who was an avid user of Foursquare, a location-based application where people can "check in" to places. Korotchenko frequently did, up to three or four times a day. Kollberg plotted Korotchenko's check-in locations and posts on Twitter into Google Earth.

"It looks awesome," Kollberg said. "You can take a tour and follow his trail."

But the trail may soon grow cold. Since the public release of the information, all of Korotchenko's accounts have vanished. The release may pose a larger problem for the FBI, which Kollberg said Sophos has had contact with since December 2009 on the case.

The FBI does not confirm ongoing investigations. Spokeswoman Jenny Shearer said on Tuesday she could not comment on Koobface. The FBI has agents that specialize in cybercrime investigations in the Ukraine, Romania, Estonia and the Netherlands, but does not have those kinds of agents based in the U.S. Embassy in Moscow, she said.

Russia has been frequently characterized as a hotbed of cybercrime and security researchers have noted that the country is difficult to work with on investigations. Russia is not a party to the Convention on Cybercrime, also known as the Budapest Convention. The treaty, which was opened for signatures in November 2001, sets guidelines for laws and procedures for dealing with Internet crime. Russia has opposed the treaty on grounds that it contains provisions the country alleges violate international law norms and countries' sovereignty.

Cybercriminals can take advantage of the lack of coordination between countries and "hide between the cracks," said David Emm, senior security researcher for the Russian security vendor Kaspersky Lab. "It's great to have joined-up initiatives, but actually if some of the key areas in terms of cybercrime development are not signed up, that leaves a bit of a hole," he said.

The alleged creators of Koobface may take advantage of that and try to melt away or assume other identities now that the heat has been turned up, said Alex Kuzmin, the U.S. director for Group-IB, a security company based in Moscow.

"We certainly think that exposing further information on those individuals involved in the Koobface botnet ... might in fact spoil or harm the ongoing investigation," Kuzmin said.

It is not unprecedented for Russian cybercriminals to occasionally take drastic action to avoid getting caught, including obtaining fake identification and even plastic surgery, Kuzmin said.

Group-IB tracked a man who targeted a Russian e-payments provider called QIWI, Kuzmin said. He was nearly apprehended in 2009 by Russian police, but fled to western Siberia where be obtained fake identification, had plastic surgery and "returned to the cybercriminal underworld as a new man" before eventually being caught, Kuzmin said.

Send news tips and comments to jeremy_kirk@idg.com

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jeremy Kirk

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?