Koobface Malware Ring Taken Offline After Ringleaders Exposed

After Facebook released the names of those responsible for a malware ring targeting the social network's users, the group's central command and control (C&C) server went offline. It's believed those exposed by Facebook took down the node as a precautionary measure to getting apprehended by authorities.

The Koobface worm originated on the social network in 2008 and prompted users to click on a funny or sexy video. Once clicked, the user would be asked to update his or her Adobe Flash plugin, which would install the group's malware instead.

It is estimated the Koobface ring has stolen millions of dollars, and, at the height of the ring, had between 400,000 and 800,000 computers infected.

However, once the malware ring was found targeting the social network's users in 2008, Facebook security experts started implementing measures to counteract Koobface.

"After more than three years and numerous hours of working closely with industry leaders, the security community, and law enforcement, we are pleased to announce that Facebook has been free of infections for over nine months," wrote Facebook Security, in a blog posting.

Along with recently shutting down the central node, the group, believed to be located in St. Petersburg, Russia, reportedly deleted all of their profiles. However, according to Graham Cluley, senior technology consultant at Sophos, that will not stop them from being prosecuted using their data history:

"Although social networking accounts have been wiped, security researchers and law enforcement agencies have archives of the vast amount of material already published by Koobface gang members, including photographs, movies, and locations as they checked into sites such as FourSquare.

"That data can be used in a variety of ways. For instance, FourSquare logins can be displayed on Google Earth, allowing researchers to replay how individuals have moved from place to place at certain times."

And this is exactly how Facebook was able to identify what it believes are the ring perpetrators. Many of the members actually checked into the location of the C&C hub multiple times with FourSquare over  the company's three-year investigation.

None of the named suspects have been charged as of yet due to issues with Russian law enforcement authorities. "An official request needs to be filed to the K Directorate first, and when it's filed, we will certainly investigate and work on it," said Larisa Zhukova, a representative at the cyber unit, to Reuters. "The request must come from the victim, that is Facebook. Because anyone can say or write anything, but it is all unfounded so far."

About the Author

Chris Paoli (@ChrisPaoli5) is the associate editor for Converge360.


comments powered by Disqus

Subscribe on YouTube