The Koobface malware gang – exposed!

Page: ← Prev 1 2 3 4 5 6 7

An investigation by Jan Drömer, independent researcher,
and Dirk Kollberg, SophosLabs.

The adult webmasters of St Petersburg

Born in 1962, Stanislav A. (also known as “LeDeD”, “DeD”, “Ded Mazai” or “zoro_ru”) is some 20 years or more older than the other members of the Koobface gang, and is the last and possibly most interesting suspect in this investigation.

Stanislav A

While several profiles could be found on various shady forums such as crutop.nu, master-x and umax to name but a few, these profiles are not containing much useful information besides his ICQ number and claims to be “in service since 1999”.

One of the postings made by “DeD” at http://www.master-x.com contained a link to a webpage on a site called 99livecam.

Webpage on 99livecam website

Accessing this link takes a visitor back to the ancient history of the St. Petersburg Adult Webmaster scene, namely to the homepage of “The United Club of Adult Webmasters of St. Petersburg”, dating back to the year 2000.

Pictures from The United Club of Adult Webmasters of St. Petersburg

The website includes some pictures from their very first club meeting. In addition to this, the Club-Website contains a picture-section called “Ded Mazai”, the same term found within the ICQ profile of “PoMuC”.

It may be assumed that the term “Mazai Team” references some group of (presumably) adult webmasters in St. Petersburg.

The website also contains a link to a discussion forum linked to the infamous CoolWebSearch (CWS) spyware activities. Further analysis of the forum posts provided some historic insights into the CWS activities as well as information about the Russian Adult Webmaster scene, again repeating the pattern previously discussed.

It is no surprise to find Stanislav A. connected to the nefarious CWS activities, as well as exploits, PPC (Pay per click) fraud, etc

Research of historic profiles and Whois records ultimately revealed his name, such as for example a historic whois entry of the dnserror.org domain, which was named in various discussions about malicious websites. One of these discussions contained a historic Whois entry for dnserror.org, listing an Stanislav A. in Prague:

Registrant Name:Stanislav A.
Registrant Organization:no
Registrant Street1:P5,
Registrant City:Prague
Registrant State/Province:CZ
Registrant Postal Code:15200
Registrant Country:CZ
Registrant Phone:+420<omitted>
Registrant Email:zoro_ru@<omitted>.com

The name Stanislav A. also showed up during the research of Roman K. and Alexander K. as all of them are shareholder of Paytelecom s.a., another Czech company.

Querying the Czech company register for the name Stanislav A., reveals another company. Owners of this company are Stanislav A., his wife and daughters.

You may wonder why the entire family is registered as company owners, but owning a company within the Czech Republic apparently eases the Visa application process, even granting permanent residence rights at some point in time, which might be the reason in this case.

Given this information one can now establish an obvious link between “Ded Mazai” and Stanislav A. The “Ded Mazai” profile on vkontakte.ru lists both his daughter and his wife as friends, next to Anton K. and Roman K.

Ded Mazai on VKontakte

Stanislav A. even shares some photos. One for instance documenting his attendance at the AWM Open 2005 conference. Stanislav A. also maintains a publicly accessible photo album with hundreds of photos at Google Picasa.

Stanislav A.

One of these photo sets was of particular interest as it shows all of the previously discussed suspects together with their wives and girlfriends at a “fishing event”.

Photos from fishing trip

Seeing the suspected members of the Koobface gang travelling together – even with their families, is a re-occurring pattern throughout many of the photo albums shared by them.

One of their documented tours shows them on a journey through Europe visiting Spain, Nice, Monte Carlo and ultimately ending in a casino in Baden-Baden, Germany – most likely gambling with the money stolen from their victims.

Koobface suspects

Roman K., Svyatoslav P., Alexander K., Anton K. and Stanislav A. Living the life of the rich and famous..


Click to enlarge

It’s important, of course, to recognise that the individuals identified above have not been charged in relation to Koobface, and have not been found guilty of any crimes.

The full evidence is in the hands of the law enforcement agencies, and we wait to see what – if any – actions are taken to bring down the Koobface gang.

Thanks:
The authors of this investigation would like to thank people from different organisations for the joint effort collecting information about the Koobface threat, especially:

  • Facebook Security Team
  • Gary Warner – UAB Center for Information Assurance and Joint Forensics Research
  • Claudio Guarnieri – iSIGHT Partners
  • Trend Micro Threat Research
  • Infowar Monitor
  • Thomas from CERT-Bund
  • CSIS Security Group A/S
  • and various law enforcement agencies around the globe.

Further reading:
Koobface: Inside a Crimeware Network [PDF]
The Real Face of Koobface: The Largest Web 2.0 Botnet Explained [PDF]
The Heart of Koobface: C&C and Social Network Propagation [PDF]
Web 2.0 Botnet: Koobface Revisited [PDF]
More Traffic, More Money: Koobface Draws More Blood [PDF]

Page: ← Prev 1 2 3 4 5 6 7

2 comments on “The Koobface malware gang – exposed!

  1. An interesting read! Thanks for a great – and understandable – summary of what must have been hours and hours of research!

    I do wonder what became of those kittens for sale.. 😉

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s