Koobface Malware Ring Taken Offline After Ringleaders Exposed

After Facebook released the names of those responsible for a malware ring targeting the social network's users, the group's central command and control (C&C) server went offline. It's believed those exposed by Facebook took down the node as a precautionary measure to getting apprehended by authorities.

The Koobface worm originated on the social network in 2008 and prompted users to click on a funny or sexy video. Once clicked, the user would be asked to update his or her Adobe Flash plugin, which would install the group's malware instead.

It is estimated the Koobface ring has stolen millions of dollars, and, at the height of the ring, had between 400,000 and 800,000 computers infected.

However, once the malware ring was found targeting the social network's users in 2008, Facebook security experts started implementing measures to counteract Koobface.

"After more than three years and numerous hours of working closely with industry leaders, the security community, and law enforcement, we are pleased to announce that Facebook has been free of infections for over nine months," wrote Facebook Security, in a blog posting.

Along with recently shutting down the central node, the group, believed to be located in St. Petersburg, Russia, reportedly deleted all of their profiles. However, according to Graham Cluley, senior technology consultant at Sophos, that will not stop them from being prosecuted using their data history:

"Although social networking accounts have been wiped, security researchers and law enforcement agencies have archives of the vast amount of material already published by Koobface gang members, including photographs, movies, and locations as they checked into sites such as FourSquare.

"That data can be used in a variety of ways. For instance, FourSquare logins can be displayed on Google Earth, allowing researchers to replay how individuals have moved from place to place at certain times."

And this is exactly how Facebook was able to identify what it believes are the ring perpetrators. Many of the members actually checked into the location of the C&C hub multiple times with FourSquare over  the company's three-year investigation.

None of the named suspects have been charged as of yet due to issues with Russian law enforcement authorities. "An official request needs to be filed to the K Directorate first, and when it's filed, we will certainly investigate and work on it," said Larisa Zhukova, a representative at the cyber unit, to Reuters. "The request must come from the victim, that is Facebook. Because anyone can say or write anything, but it is all unfounded so far."

About the Author

Chris Paoli is the site producer for and


  • Microsoft Offers More Help on Windows Server 2008 Upgrades

    Microsoft this week published additional help resources for organizations stuck on Windows Server 2008, which fell out of support on Jan. 14.

  • Microsoft Ups Its Carbon Reduction Goals

    Microsoft on Thursday announced a corporatewide carbon reduction effort that aims to make the company "carbon negative" by 2030.

  • How To Dynamically Lock Down an Unattended Windows 10 PC

    One of the biggest security risks in any organization happens when a user walks away from their PC without logging out. Microsoft has the solution (and it's not a password-protected screensaver).

  • First Stable Chromium-Based Microsoft Edge Browser Released

    Microsoft on Wednesday announced the first release of its Chromium-based Microsoft Edge browser at the "stable" commercial-release stage.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.