Virus infections stop after suspects named
By Joseph Menn and Jim Finkle
(Reuters) - One of the most common sources of computer intrusions has stopped infecting new machines after security researchers working with Facebook released the names of five suspected ringleaders.
After more than two years of work, a pair of researchers on Tuesday published the names, aliases and photographs of a gang they accused of running a criminal enterprise known as Koobface that had primarily targeted Facebook after it cropped up in 2008.
German security researchers Jan Droemer and Dirk Kollberg said that servers that ran the Koobface operation stopped responding on Tuesday morning after they released an in-depth report via Kollberg's employer, the UK anti-virus software maker Sophos.
Some computers used to control Koobface had previously been disabled and it had not spread through Facebook connections since early last year.
But until the new disclosures, the Koobface gang had continued to target other social networks as a long-running FBI probe failed to result in arrests in Russia.
Koobface spread primarily through captured social networking accounts that prompted friends to install software to view a video. Initially content with small-scale advertising fraud, the group had also begun to distribute more pernicious software, including the Zeus trojans for bank-account theft, according to another researcher collaborating with Facebook, Gary Warner of the University of Alabama-Birmingham.
Kaspersky Lab, a large security software company, said its database showed that the Koobface virus had afflicted between 400,000 and 800,000 computers during its heyday in 2010.
"The thing that we are most excited about is that the botnet is down," said Facebook security official Ryan McGeehan. "Our decision to become transparent about this has had a 24-hour impact. Only time will tell if it's permanent but it was certainly effective."
Droemer and Kollberg said that they had planned to hold off on publishing their data until law enforcement had captured the suspects. They released it earlier, with Facebook's blessing, after one of those suspects, who goes by the alias "Krotreal," was named last week by another researcher.
Facebook Chief Security Officer Joe Sullivan said he had endorsed the release because he felt the exposure might disrupt the group.
Indeed, those identified have erased social networking profiles cited by the researchers, and many of the phone numbers have been reassigned.
"Krotreal," for example, renamed his account on the Russian social networking site twice, then deleted it altogether, along with his Twitter feed and LiveJournal accounts.
None of the five alleged members of the hacking group could immediately be traced to the reported office addresses or phone numbers in St Petersburg, Russia's second-largest city. (The report is online here).
At the MobSoft address named by Sophos, a Reuters reporter found a dilapidated building that once belonged to a company controlling seaport currency trade in the Soviet Union. Today the building, near a port docking station, is mostly occupied by shipping companies. An employee of one of the firms told Reuters he had never heard of a firm by the name of MobSoft.
"Our company has been renting an office here for three years, but there is no firm named MobSoft here and there has never been one," he said. Neither the building's concierge nor its manager, who had been in her job for the past 15 years, knew about MobSoft or the suspected hacker group.
The legal address for MobSoft found in online directories, and in the SKRIN stock exchange companies' database, led Reuters to an apartment complex a few blocks away from the Mariinsky theatre, whose ballet troupe ranks with Moscow's Bolshoi as Russia's most prestigious.
There was no response when the Reuters reporter rang the bell and knocked on the old wooden rusty-colored door.
Calls to the numbers provided in the Sophos reports yielded no valid leads. One of the names listed under the telephone numbers matched that in the report. But most did not.
At the official MobSoft number, Reuters reached a man calming a crying baby who said strangers had started calling him recently with questions about Koobface and MobSoft. He said he had not heard of either.
The two German researchers said they suspected that the hackers had been working out of a third location in St. Petersburg.
NO INVESTIGATION REQUESTED
Russia's anti-cybercrime unit, the Interior Ministry's K Directorate, said it has yet to investigate the matter because it has not been asked to.
"An official request needs to be filed to the K Directorate first, and when it's filed, we will certainly investigate and work on it," said Larisa Zhukova, a representative at the cyber unit, told Reuters.
"The request must come from the victim, that is Facebook. Because anyone can say or write anything, but it is all unfounded so far," she added.
If submitted, a request would undergo a 30-day review, followed by an initial check.
"Even if it turns into a criminal case, the investigative unit will decide on possible charges. It is hard to hypothesize on a possible sentence right now," she said, adding she had no information on whether the operational staff of the investigative unit knew about the situation.
A spokesman for the FBI did not respond to a request for comment.
Members of Facebook's security staff declined to comment on their discussions with law enforcement officials. Others working with Facebook said that the MVD, or Interior Ministry, had indeed been involved, with little visible progress.
"I like that we're getting the dialogue about the challenges of cross-border enforcement," Sullivan, the Facebook security officer, said. "Ultimately, the goal here is to have an impact. As a security team, we don't have the luxury that every case ends in an arrest."
(Reporting by Joseph Menn in San Francisco; Jim Finkle in Boston; Liza Dobkina in St Petersburg; Nastassia Astrasheuskaya and Maria Kiselyova in Moscow; Jeremy Pelofsky in Washington)
© Thomson Reuters 2015 All rights reserved.