Koobface infections stop after hackers named
One of the most common sources of computer intrusions has stopped infecting new machines after security researchers released the names of five suspected ringleaders.
After more than two years of work, a pair of researchers working with Facebook published the names, aliases and photographs of a gang they accused of running a criminal enterprise known as Koobface that had primarily targeted Facebook after it cropped up in 2008.
German security researchers Jan Droemer and Dirk Kollberg said that servers that ran the Koobface operation stopped responding on Tuesday morning after they released an in-depth report via Kollberg’s employer, antivirus software maker Sophos.
Our decision to become transparent about this has had a 24-hour impact
Some computers used to control Koobface had previously been disabled and it had not spread through Facebook connections since early last year.
But until the new disclosures, the Koobface gang had continued to target other social networks as a long-running FBI probe failed to result in arrests in Russia.
Koobface spread primarily through captured social networking accounts that prompted friends to install software to view a video. Initially content with small-scale advertising fraud, the group had also begun to distribute more pernicious software, including the Zeus trojans for bank-account theft, according to another researcher collaborating with Facebook, Gary Warner of the University of Alabama-Birmingham.
Kaspersky Lab said its database showed that the Koobface virus had afflicted between 400,000 and 800,000 computers during its heyday in 2010.
“The thing that we are most excited about is that the botnet is down,” said Facebook security official Ryan McGeehan. “Our decision to become transparent about this has had a 24-hour impact. Only time will tell if it’s permanent but it was certainly effective.”
Disrupting the gang
Droemer and Kollberg said that they had planned to hold off on publishing their data until law enforcement had captured the suspects. They released it earlier, with Facebook’s blessing, after one of those suspects, who goes by the alias “Krotreal,” was named last week by another researcher.
Facebook chief security officer Joe Sullivan said he had endorsed the release because he felt the exposure might disrupt the group.
Indeed, those identified have erased social networking profiles cited by the researchers, and many of the phone numbers have been reassigned.
“Krotreal,” for example, renamed his account on the Russian social networking site twice, then deleted it altogether, along with his Twitter feed and LiveJournal accounts.
Russia’s anti-cybercrime unit, the Interior Ministry’s K Directorate, said it has yet to investigate the matter because it has not been asked to.
“An official request needs to be filed to the K Directorate first, and when it’s filed, we will certainly investigate and work on it,” said Larisa Zhukova, a representative at the cyber unit, told Reuters. “The request must come from the victim, that is Facebook.”
A spokesman for the FBI did not respond to a request for comment.
“I like that we’re getting the dialogue about the challenges of cross-border enforcement,” Sullivan, the Facebook security officer, said. “Ultimately, the goal here is to have an impact. As a security team, we don’t have the luxury that every case ends in an arrest.”