An investigation by Jan Drömer, independent researcher,
and Dirk Kollberg, SophosLabs.
The Koobface case clearly has strong ties to Russia or Eastern Europe, meaning that language becomes an important factor in our investigation.
A simple search for MobSoft with the Russian Federal Tax Server resulted in no matches, but a search using the correct Cyrillic characters “МобСофт” provides the desired result.
The very same is true for search engines, such as Google or Yandex, or for searches within social networks. It is also important to understand that automatic translations of suspect names or even their sometimes self-chosen translations may result in no or even wrong results.
Research using the term “МобСофт”, not only confirmed the existence of a company registered in St. Petersburg, but also lead to a Russian portal selling information about business. This portal lists Roman K. as the owner of Mobsoft LLC based in St. Petersburg.
We already know about this name from the Czech company register in connection with Mobsoft s.r.o. Continued research also led to various job portals identifying former employees of MobSoft such as for example a graphics designer. While this person is unrelated to the Koobface threat, the website provides various artwork such as the MobSoft corporate design.
Most remarkably however was a job advert, listing someone called Alexander K. as the company’s contact with a mobile phone number that matches one of the numbers found within the Koobface SMS statistics script!
Details about Alexander K. are sparse. Just like the case with “Krotreal” access to Alexander’s vkontakte.ru profile is unfortunately restricted.
Although it is inaccessible it presumably shows a photo of him. Alexander K. was also found commenting on various vkontakte.ru walls of other potential Koobface gang members. Attempts to locate more information about him and his precise involvement remained inconclusive.
Several profiles suggest that he also operates under the nicknames “floppy”, “megafloppy” or “darkfloppy”. Profiles using these nicknames can be found on various social networks, for example on LiveJournal.
Given the user profile picture, the birth date, the reference to St. Petersburg and the interests in various programming languages, he might have been involved in programming activities for the gang.
It is, however, of importance that it is his mobile phone number that has been commented out from the SMS statistics script. Like “PoMuC” he is also shareholder of Paytelecom a.s. another Czech company found while searching through the Czech company register.
Further research led to another job offer, again made by Alexander K. this time listing a St. Petersburg number “+7 (812) <omitted> 31”.
This number is exactly the same compared to the mobile phone number except that the St. Petersburg area code is used instead of the mobile network code. While this might be just a typo or pure coincidence, mobile phone numbers using the regular area code instead of the mobile network are considered to be more prestigious and are as such known to exist.
Following this train of thought, it was possible to link another number from the Koobface statistics script to Roman K., given that this number is listed within the Whois details for the domain highspeed.ru, owned by him.
state: REGISTERED, DELEGATED, UNVERIFIED
person: Roman K.
phone: +7 812 <omitted>99
Similarly vkontakte.ru was searched using the term “МобСофт” which led to the identification of two profiles, one belonging to “Vladimir XD” (about whom no further information could be retrieved) and the other one belonging to Svyatoslav P.Follow @SophosLabs