Facebook on Mission to Wipe Koobface Off Face of the Web
Jan 18, 2012 9:45 AM PT
Facebook eradicated the Koobface virus from its site about nine months ago. However, the social network says it is on a mission to vanquish it completely.
It's been three years since the virus first appeared on Facebook, and the company has learned quite a bit about it and its creators, it said in a blog post. It intends to share what it knows with law enforcement and the larger security community.
Fake Friend Messages
The language Facebook uses in its post -- "the full force of law brought to bear against those who have made millions in ill-gotten gains" and "to rid the Web of this virus forever" evoke images of Captain Ahab and his white whale.
Indeed, the Koobface virus was particularly harmful to Facebook, because it took aim at the site's raison d'Ítre -- the sharing of information.
The virus would send fake friend messages encouraging recipients to click on links. When they did, a malicious worm would download. The message, which would appear to come from someone on a user's friend list, used such phishing-savvy subject lines as "why do you look so stupid in this photo?"
After installing malware on a user's device, it would redirect the user's traffic and, in some cases, trick the user into paying for fake antivirus software. Koobface made its profits via pay-per-click and traffic referral schemes.
Others on the Trail
Facebook has hardly been alone in its efforts to track down Koobface -- and it is not the only one with identifying information about it either. Earlier this month, security researcher Dancho Danchev published photos of the Russian-based botnet master, his telephone numbers, multiple email addresses, and the license plate for his BMW.
Danchev got his hands on this mother lode through the botnet master's carelessness, he wrote. He used his personal email to register for a domain parked within Koobface's command-and-control infrastructure "that at a particular moment in time was directly redirecting to the ubiquitous fake Youtube page pushed by the Koobface botnet."
Facebook may have been instrumental in this series of events. Facebook Security performed a technical takedown of Koobface's "Command & Control" Mothership last March, it said in a blog post, "and since then we have had no new sightings of Koobface for over nine months and our teams are working hard to keep it that way."
Despite all the information available about the Koobface gang, their ultimate fate is still uncertain.
Facebook and other security researchers' focus "will most certainly bring attention to the lavish lifestyles these criminals are leading, and that may or may not lead to consequences to their actions," Robert Siciliano, online security evangelist for McAfee, told TechNewsWorld. "The million-dollar question is, will Russian law enforcement actually make an arrest, or will that be superseded by a payoff?"
However, one shouldn't think just in terms of law enforcement, he added. "Public humiliation has long been a solution to problems that affect the public. These boys are either going to need a good lawyer or a good publicist."
Others take a more pessimistic view of how this will play out.
"Though Facebook has taken a bold step in revealing the names of the Koobface gang in an effort to curb the group's cybercrime activities and prompt Russia to take proactive measures against these criminals, the unfortunate reality is that Koobface will continue to wreak havoc, infecting many more people through alternative social networks and online properties," John Viega, an application security expert at Perimeter E-Security, told TechNewsWorld.
"The newly released information from Facebook does little to aid law enforcement, as members of the gang have operated openly for some time. Their identities are no big secret -- and they are certainly not trying to hide. To date, Russia has provided a haven for Russian citizens who perpetrate online crime and hasn't yet shown interest in busting the Koobface team."