Facebook outs Koobface worm crew

Social network scour helps reveal five members.
  • Liam Tung (CSO Online)
  • 18 January, 2012 09:10

Facebook on Tuesday named the five people it believes were behind the notorious Koobface worm, which duped a few hundred thousand Facebook users into downloading its malware.

The key Koobface operators include Anton Korotchenko, Stanislav Avdeyyko, Svyatoslave Polichuck, Roman Koturcbach and Alexander Koltyshv, the New York Times reported Tuesday.

The crew were believed to have earned about US$2 million a year, according to Canadian security firm, SecDev, and prompted Facebook to undertake a major investigation beginning in 2008 to uncover the people behind the worm, discovered by Russian antivirus firm, Kasperksy.

Koobface revenue depended on a combination of click-fraud and fake security software, while its malware was spread by luring users - primarily from Facebook but also other social networks like Twitter and Bebo - with the promise of a video which required them to install a new but fake codec or an Adobe Flash upgrade.

Facebook said Tuesday it would begin sharing information it has on the Koobface-five with security vendors and other web companies.

Sophos, which was also involved in the investigation, led by its researcher Dirk Kollberg, traced the group's operations back to St Petersburg, Russia and the Czech Republic.

Much of Kollberg's research between October 2009 and February 2010 in linking the five members was conducted via business registries and Russia's equivalent of Facebook, Vkontakte.

Sophos' key find was a file it located in December 2009 which contained a full daily backup of the Koobface command and control software, allowing Kollberg to analyse the network's management tools.

Facebook said it has been free of Koobface infections for over nine months, after its March 2011 "technical takedown" of the Koobface command and control "Mothership".

Follow @CSO_Australia and sign up to the CSO Australia newsletter.