An investigation by Jan Drömer, independent researcher,
and Dirk Kollberg, SophosLabs.
On 17 January 2012, The New York Times revealed that Facebook plans to name five men as being involved in the Koobface gang. As a result of the announcement, we have decided to publish the following research, which explains how we uncovered the same names. This research is also available as a downloadable PDF.
- Introduction: There ain't no perfect (cyber)crime
- The Koobface gang makes a mistake, and then another..
- Of cars and kittens..
- Krotreal - or what's in a nickname?
- Inside the Koobface firm
- Language matters - МобСофт
- Friends and family - a weak link for the Koobface gang
- Sex sells
- The adult webmasters of St Petersburg
Readers are advised that some names and other details within this paper have been omitted to protect the privacy of the suspects and their families. Furthermore some URLs within this document might contain offensive material or malicious content not safe for browsing. It is important to acknowledge that none of the individuals referred to in this paper have been charged with any crimes and should be considered innocent until proven guilty.
The Koobface botnet - a product of the self proclaimed "Ali Baba & 4" or "Koobface Gang" - has been terrorizing millions of internet users since mid 2008 and continues to do so up to the present day, despite multiple takedown efforts.
The research below, conducted by independent researcher Jan Drömer and Dirk Kollberg of SophosLabs, is focused on the suspects behind one of the largest cybercrime threats in recent years and the process of their identification.
Research into the suspects was mainly conducted from early October 2009 until February 2010 and has since been made available to various international law enforcement agencies.
As in real life, a perfect (cyber)crime is something of a myth. The simple truth is that today's cybercrime landscape is aimed at achieving maximum revenue with minimal investment, and that implies a certain level of accepted imperfection.
It is this imperfection, paired with a sense of "criminal arrogance" and an uncontrollable threat environment such as the internet, that ultimately led to the identification of multiple suspects forming the "Koobface gang".
With every cybercrime attack, there can be vast amounts of technical information such as IP addresses, domain names, etc. available which usually form the starting point of an investigation.
The Koobface investigation was no different, and upon identification of one of the Koobface Command & Control (C&C) servers used to steer the attacks a first mistake by the gang was identified.
It turned out that the Apache web server on one of the active Command & Control servers (captchastop.com, 184.108.40.206) had the mod_status module enabled. Having enabled this web server module, any visitor is provided with public access to a live view of requests made to the web server, thereby revealing file and directory names.
Although this mistake was noted and corrected at the end of October 2009, it was only days later when the gang made yet another mistake by installing the Webalizer statistics tool in a publicly accessible way, allowing for an even better insight into the structures of their Command & Control system.
A major breakthrough in the technical investigation was finally achieved in early December 2009 when the Webalizer statistics tool showed an unusual request to a file named "last.tar.bz2", which upon further examination turned out to contain a full daily backup of the Koobface Command & Control software. During the investigation similar backups could be obtained from various other Koobface Command & Control systems.
While these backups allow for a detailed technical analysis, they were mainly examined to identify the entire system landscape forming the Koobface Botnet as well as any information (usernames, source code comments, log-files showing IP addresses, etc.) that could help to the identification of the actors behind.
This led to various domain names and IP addresses, out of which one system stood up in particular.
This "Koobface Mothership" was hosted on the IP address 220.127.116.11, located within a network of UPL Telecom in Prague (Czech Republic) and used to store statistics, monitor C&C and used within the restore process in case C&C servers become unavailable.
Two of the found domain names (babkiup.com and service.incall.ru) were also hosted on the Koobface Mothership server. While incall.ru appeared to be a legitimate VoIP service, babkiup.com was greeting users with a service description that matched exactly the behaviours of the Koobface Botnet, including a short question and answer section for interested customers and ICQ contact details for two individuals going by the nicknames "PoMuC" and "LeDed".
Back to the backups, probably the most stunning information was found within a PHP script used to submit daily revenue statistics via short text messages to five mobile phones. The international prefix +7 identifies these numbers to be Russian telephone numbers.
Note that one phone number has been commented out from receiving SMS messages, which either means that this gang member simply wasn't interested in these statistics or it may also be an indication that one member left the group.
The nickname "LeDed", named as a contact point on the "babkiup.com" website, reappears as a Unix username within a script used to restore defunct Koobface C&C servers. It is of particular note that within this script "LeDed" shows up as user/groupname within the Unix chown command.
"Krotreal" is another nickname that can be found within a script called "gen_service.php". Circumstances suggest that the source code comment made within the script, was made by "Krotreal" itself, likely implying that this individual had access to the source code of the PHP script(s) making up the Koobface Command & Control system.
Furthermore an image named "IMG_0121.JPG" was found within one of the backups. This picture is completely unrelated to the function of the Koobface botnet itself but may have been placed there by a Koobface gang member.
According to the Exif metadata contained within the photo it was taken with an Apple iPhone on September 15, 2009 with a Latitude of N 59° 55.66' and a Longitude of E 30° 22.11'. This directly points into the center of St. Petersburg, Russia.
Though this information may not be accurate enough to identify a single address, it supports the earlier presumption that the actors might be located in Russia and that one or more are probably located in the St. Petersburg region.
However, it is important to point out that this observation is rather speculative, considering that the photo could be entirely unrelated to the Koobface actors.
The following graphic depicts key information derived so far from the Koobface backups and websites.
Any further research would obviously start with the telephone numbers, given that these are the most likely way to obtain identities of potential suspects. Different notations of telephone numbers were used as search strings, as well as look-ups made against the online telephone book of St. Petersburg, Russia.
One number was found on an online market platform for cars, one was selling a BMW 3 Series with the cars number plate "H <omitted> 98" in 2008.
The very same telephone number also appeared in another forum post from September 2007, this time trying to selling kittens. Even more important in this context is the email address "Krotreal@<omitted>.com" and the name Anton listed as contact.
As the telephone number search came to a dead end, the next most likely source of information would be the three nicknames ("Krotreal", "LeDed", "PoMuC").Follow @SophosLabs