LONDON (01/18/2012) – Facebook could be about to take the unprecedented step of distributing the names of the Russians it believes were behind the Koobface worm that waged an infamous botnet campaign against the site’s users from 2008 onwards.
A report in the New York Times said that Facebook would today start circulating information on the gang to security companies and researchers, effectively a public unmasking in all but name.
This is despite the identities of some of the alleged gang already being known to a select group of security companies, including Facebook itself, that have pieced together the structure and design of the botnet built by it after penetrating command and control servers – the so-called ‘Mothership’ – in late 2009. The bot was seriously disrupted a year later.
Allegedly, the Koobface gang currently reside in St Petersburg, enjoying luxury breaks in locations such as Bali, Monte Carlo and Turkey, and are certainly known to local police authorities as well as the FBI.
Investigators have even been able to capture images of the men working in loft offices using Apple Macs as well as discover their online nicknames. A few appear to have been involved in legitimate software businesses though the oldest of the group is said to be connected to porn-popup spyware program CoolWebSearch which first appeared in 2003.
Their alleged creation, Koobface, was always a strange piece of malware marked out by a disarming mixture of cleverness (exploiting social media including sites other than Facebook) and pragmatism (the botnet is not believed to have exceeded a million hosts at its peak).
Koobface probably generated comparatively modest sums of around $2 million per annum using a mixture of click fraud and revenues from generating leads for Fake antivirus scams.
Indeed, plenty is now known about the alleged gang with an unusually detailed expose being published by Sophos Labs’ researchers to coincide with the news from Facebook.
What Facebook hopes to achieve other than drawing attention to the uncomfortable level of police antipathy to cybercrime in some countries is hard to say.
“We know the gang’s names, their phone numbers, where their office is, what they look like, what cars they drive, even their mobile phone numbers,” said Graham Cluley of Sophos. “Now we have to wait and see what, if any, action the authorities will take against the Koobface gang.”
Software companies taking matters such as this into their own hands is not unheard of. Last summer Microsoft took out ads in Russian newspapers as part of its legal campaign against the Rustock botnet, also offering a large bounty for the arrest of its creators.