Koobface gang turns off command servers, as Russian police explain lack of action

Koobface gang turns off command servers, as Russian police explain lack of action

Facebook logo and Koobface suspectsThe publication of a detailed investigation into alleged members of the Koobface malware gang appears to have had an instant impact.

The C&C (command and control) servers at the heart of Koobface have stopped responding, and the individuals uncovered by the report have been busy deleting their profiles on social networks, where they had left digital clues as to their identities.

Although social networking accounts have been wiped, security researchers and law enforcement agencies have archives of the vast amount of material already published by Koobface gang members, including photographs, movies, and locations as they checked into sites such as FourSquare.

That data can be used in a variety of ways. For instance, FourSquare logins can be displayed on Google Earth, allowing researchers to replay how individuals have moved from place to place at certain times.

Locations tracked on FourSquare, displayed on Google Earth

Ryan McGeehan, a member of Facebook’s security team, was quoted in the press, expressing his delight that releasing information about the five men’s alleged activities had already had an impact:

"The thing that we are most excited about is that the botnet is down. Our decision to become transparent about this has had a 24-hour impact. Only time will tell if it's permanent but it was certainly effective."

Meanwhile, Russia’s anti-cybercrime unit has claimed that there’s a very good reason that it hasn’t investigated the Koobface gang – it hasn’t been asked to.

According to a report from Reuters, the Interior Ministry’s K Directorate says that it has received no official request to look into the activities of the Koobface gang, alleged to be based in St Petersburg.

“An official request needs to be filed to the K Directorate first, and when it’s filed, we will certainly investigate and work on it,” said Larisa Zhukova, a representative at the cyber unit, told Reuters. “The request must come from the victim, that is Facebook. Because anyone can say or write anything, but it is all unfounded so far.”

All that we see from this is that it can be very difficult to co-ordinate investigations into cybercriminal activity when there are multiple countries involved. One thing is clear, however, the people identified in the report are clearing up the various breadcrumbs they have left lying around the net.

Read: The Koobface malware gang – exposed!