Koobface (the name is an anagram of Facebook), the most famous worm in Facebook’s history, has attracted public attention once again after the social network’s security service announced earlier this month that they were going to reveal the names and photos of criminals behind the malware.
Koobface was first detected by security specialists in the spring of 2008. It was targeting users of Facebook, MySpace, Twitter, and other social networking sites. A victim would receive a message from “a friend” urging to watch sexy or funny videos. After clicking on the link, the user was prompted to update Adobe Flash player. If he followed the instructions, the computer was infected with the malware and became a part of a peer-to-peer botnet. Its Google search queries were hijacked and directed the owner to affiliate websites, the computer received warnings about virus attacks and recommendations to install new anti-virus programs.
”The Koobface gang” made money on sales of fake anti-virus programs, pay-per-click ads, and traffic referral schemes. Security service Kaspersky Labs estimated the Koobface network included up to 800,000 infected computers worldwide in 2010. The botnet produced an average 1,200 blog posts per hour. The group earned at least $2 million a year.
Jan Droemer, an independent researcher from Germany, could get a view inside Koobface’s command-and-control system, known as the “Mothership”. He used only publicly available information and discovered the names and contact data of the “fathers of the worm”. The Facebook security team, as well as several other companies, could also identify the criminals. All of them live in St Petersburg and, before the New York Times published their identities, had openly transmitted coordinates of their offices through the location-based website Foursquare and via Twitter posts. Some of the the group members had previously been involved in spyware and online pornography businesses.
Facebook has made a very unusual move by publishing the names and photos of the gang. Its Chief Security Officer explained that the company has failed to get support from law enforcement organizations in several countries, including the FBI, in prosecution of the cybercrimes. This is why the social media decided to use its ability to share the information in order to warn others against targeting users of the network. “People who engage in this type of stuff need to know that their name and real identity are going to come out eventually and they’re going to get arrested and they’re going to be targeted,” said Mr. Sullivan.