The Koobface malware gang – exposed!

Page: ← Prev 1 2 3 4 5 6 7 Next →

An investigation by Jan Drömer, independent researcher,
and Dirk Kollberg, SophosLabs.

Friends and family – a weak link for the Koobface gang

Family member's profile on VKontakteWith Anton K. (“Krotreal”), Alexander K. and Roman K. identified as suspected Koobface gang members, a few nicknames and individuals remain to be researched.

One of them is “PoMuC”, listed with his ICQ number as a contact on the website. His ICQ profile already provides a wealth of information.

We begin with the first name “Roman” and a connection to MobSoft, combined with a birth date and a reference to St. Petersburg. The first name and date of birth match those of a Roman K., according to the Czech company register.

There were only a handful of profiles related to “PoMuC”, and those that were likely to be linked to him, were sparse on details.

Besides some email addresses, a link to a company called “Elitum Ltd.” was found, which was devoted to the development of mobile phone applications (casino games, etc.), very similar to MobSoft.

Some of Elitum’s products, such as ElitePassword, may still be found on the internet.

The company itself, however, seems to be dissolved, and its website is no longer being available.

Website not found

Nonetheless a few email addresses can still be found such as {andrew|psviat|akolt|support|4spam}

The nickname “psviat” was also used to register the domain “”. The name used in the registration was Syvat P., which may stand for Svyatoslav P.

Another profile confirmed the nickname “akolt”, to be Alexander K., owner of MobSoft IT consulting s.r.o. Finally, the address was used by Roman K. to register the domain.

With details sparse, a search for the name Roman K. was performed on and the resulting profiles reviewed.

Unfortunately, none of the profiles seemed to match, or were simply inaccessible.

It might have seemed that a dead end had been reached, but you shouldn’t underestimate friends and family.

It is known from the Czech company register that a Maria K. is listed as a co-owner of of one of the MobSoft entities.

Searching for Maria K. on returned just one hit. Luckily, her profile allows public access to the greatest possible extent; including photo sets, lists of friends etc.

Maria K on VKontakte

Not only do we find Roman K. on the friend list and on several photos, but for example also Anton K. From the profile it becomes clear that Maria and Roman K. are married and have one daughter.

Roman K

Now having a face of Roman K. it is furthermore possible to link two followers of “Krotreal’s” Twitter account (spb_roman and ru_roman) to Roman K., given that both avatar pictures of these accounts show him.

This also provides us with two possible nicknames used by Roman K. which can be further investigated.

Upon investigation of the photo sets shared by Maria K., it was furthermore discovered that the family spent their holidays together with Anton K., suggesting a fairly close relationship between them.

Family and friends in social networks also play a role during the investigation of Svyatoslav P., alias “psviat”. Even though his profile is publicly accessible, his photos are not. Even if Svyatoslav P. isn’t sharing photo sets himself, more than 95 photos have been tagged by others, linking to him and his profile.

This is an inherent feature of social networks and shows the difficulty of maintaining a low-profile on these networks, because if one does not provide information such as photos himself, family and friends may do so. The analysis of these photos for instance show, that not too long ago, he married Svetlana D. who in turn is an acquaintance of Maria K.

His friend list showed that he is an acquaintance of both of the previously discussed Maria and Roman K. as well as Anton K.

Linking the nicknames “psviat” and “PsycoMan” to Svyatoslav P. was possible through the investigation of various profiles. Although his exact involvement in the Koobface threat isn’t yet known, circumstances are suggesting that he might have been involved with programming tasks.

He can be also linked to the email address “” which was used in connection with various malicious activities, such as for example the domain which used to be hosted on the same IP address as the old website, within a network of UPL Telecom.

Next: Sex sells

Page: ← Prev 1 2 3 4 5 6 7 Next →

What do you think?