Koobface crooks unmasked?

Facebook and security researchers believe they have the names of the gang behind notorious botnet Koobface.

The social networking giant, which has been one of the main targets of the Koobface criminals, is expected to announced it will start sharing information it has on the group with the security community today, the New York Times reported.

Facebook is planning to name four men who it believes to be involved in the gang behind Koobface, a botnet that Kaspersky estimated had infected between 400,000 and 800,000 machines at its peak.

We wait to see what - if any - actions are taken to bring down the Koobface gang.

Koobface malware has primarily been spread via Facebook.

Investigators claimed the group is working in Russia and in plain sight. Despite the raft of information gathered on them, no prosecutions have been brought.

Leaving tracks uncovered

Sophos has been tracking the group, saying the crooks have made a number of mistakes, leaving digital traces across the internet. One error was not effectively locking people out of command and control (C&C) centre information.

"It turned out that the Apache web server on one of the active Command & Control servers (captchastop.com, 67.212.69.230) had the mod_status module enabled. Having enabled this web server module, any visitor is provided with public access to a live view of requests made to the web server, thereby revealing file and directory names," Sophos explained in a blog post.

"Although this mistake was noted and corrected at the end of October 2009, it was only days later when the gang made yet another mistake by installing the Webalizer statistics tool in a publicly accessible way, allowing for an even better insight into the structures of their Command & Control system."

The Webalizer statistics revealed in late 2009 that a file named "last.tar.bz2" was a full daily backup of Koobface C&C software, which were obtained by Sophos for full analysis.

This meant IP addresses relating to the gang could be obtained. More critically, Sophos was able to attain a PHP script used to submit daily revenue statistics via short text messages to five mobile phones. This meant the researchers had phone numbers to play with as well as nicknames of recipients.

The nicknames Krotreal, LeDed and PoMuC proved particularly helpful. They were used to track down profiles of potential subjects on sites including Facebook, Twitter and Flickr, as well as photos which provided yet more useful information.

Other data acquired from the C&C server indicated one of the suspects worked at a software development company called MobSoft, which was determined to be based in St Petersburg.

One of the company's contacts had a mobile number the same as one of those found in the aforementioned Koobface SMS data.

The PoMuC suspect was linked to a similar company to Mobsoft called Elitum.

Sophos also used information of suspects' family members from social networks to further their investigations.

Another lead was a picture of one of the suspects at a porn conference with his wife.

"The full evidence is in the hands of the law enforcement agencies, and we wait to see what - if any - actions are taken to bring down the Koobface gang."

Facebook had not offered any official comment on the Koobface situation at the time of publication.

Koobface initially targeted Windows PCs but moved to attacking Macs as well in late 2010.

Later that year, the botnet took a serious hit when servers hosting its C&C centre were taken down in the UK.

The main C&C centre was located on servers based at UK hosting company Coreix, which worked with police in removing criminal activity from their systems.

Facebook claimed to have effectively stopped Koobface spreading on the social network last year.