Update: Facebook exposes hackers behind Koobface worm

Facebook today will expose five men believed to be responsible for spreading the notorious Koobface worm (its name is an anagram of "Facebook") on the social network and other services. They have become rich from their various online schemes (their Koobface botnet has earned them millions of dollars), and are hiding in plain sight in St. Petersburg, Russia. Despite their identities being known to Facebook, independent computer security researchers, and law enforcement officials, the men live comfortable lives which include luxury vacations to places like Monte Carlo, Bali, and Turkey, according to coordinates, photographs, and messages they themselves have posted online.

In July 2008, the Koobface gang, as they are often referred to, sent out invitations to watch a funny or sexy video. If you clicked the link, you were told you needed to update your Adobe Flash plugin, but the download was in fact the Koobface malware. Victims' computers started showing ads for fake antivirus software and their searches were redirected to unscrupulous marketers. The group made money from people who bought the bogus software and from unsuspecting advertisers. The security firm Kaspersky Labs estimated the botnet at somewhere between 400,000 and 800,000 PCs at its height in 2010.

Weeks after early versions of the Koobface worm began appearing on Facebook, the company traced the attacks to those responsible. All of the men have yet to be charged with a crime, nor has any law enforcement agency confirmed they are under investigation; the Koobface gang demonstrates the difficulty Western officials face in apprehending international computer criminals, even when identities are known, and especially when they operate in countries where local authorities won't touch them. When US and European law enforcement agencies don't receive cooperation, they have serious trouble putting together the required evidence.

My ZDNet colleague Dancho Danchev, revealed the name of one Koobface gang members as Anton Nikolaevich Korotchenko on his personal blog last week: Who's Behind the Koobface Botnet? - An OSINT Analysis. According to The New York Times, Facebook will today tell security researchers and other Internet companies about the group and how to fight them as it believes a public naming can make it harder for such groups to operate.

The men, sometimes called Ali Baba & 4, have now had their full names and online names revealed: Stanislav Avdeyko (leDed), Alexander Koltysehv (Floppy), Anton Korotchenko (KrotReal), Roman P. Koturbach (PoMuc), Svyatoslav E. Polichuck (PsViat and PsycoMan). Avdeyko, who is over 20 years older than the other men and has been tied to an infamous spyware program from 2003 called CoolWebSearch, appears to hold a leadership role.

Upon learning of Facebook's plans, security firm Sophos decided to publish its own findings, confirming the five identities. Jan Drömer, a 32-year-old independent researcher in Germany, and Dirk Kollberg of SophosLabs, conducted a detailed investigation into the Koobface gang between early October 2009 and February 2010, but authorities requested that it be kept confidential so they had the necessary time to build a case. Drömer, who unmasked the gang members using only information available publicly on the Internet, even managed to get a password-free view inside Koobface's command-and-control system, known as the "Mothership."

At the end of the seven-page report, the authors of the investigation thank people from different organisations for the joint effort collecting information about Koobface, clearly showing who contributed:

Facebook Security Team

Gary Warner - UAB Center for Information Assurance and Joint Forensics Research

Claudio Guarnieri - iSIGHT Partners

Trend Micro Threat Research

Infowar Monitor

Thomas from CERT-Bund

CSIS Security Group A/S

and various law enforcement agencies around the globe.

While the Koobface gang has yet to be apprehended, Facebook has managed to fight off the worm, which attacked the service repeatedly until it disappeared in March. After the company tried to dismantle the Mothership, pushed to scrub its service of the worm, and worked to clean users' PCs of infections, the group abandoned the site. Joe Sullivan, chief security officer at Facebook, said his team's goal was to make Facebook unprofitable for the gang.

See also: