It was a well-known fact in security circles that some researchers were involved for quite some time in an investigation aiming at revealing the identities of the individuals behind the Koobface worm and the botnet it created.
In the past week, details about a likely member of the “Ali Baba & 4” group (as they dubbed themselves) were made public by researcher Dancho Danchev on his blog and, as the story begun to unfold, security firm Sophos and the NYT revealed the names of the five individuals thought to be part of the KoobFace gang.
Their names are Anton Korotchenko (a.k.a. “KrotReal”); Stanislav Avdeyko, (“leDed”); Svyatoslav E. Polichuck (“PsViat” or “PsycoMan”); Roman P. Koturbach (“PoMuc”); and Alexander Koltysehv (“Floppy”), and they all apparently live in St. Petersburg, Russia.
The NYT reveals that Facebook, law enforcement officials and security investigators involved in the investigation have known their identities for years, but the fact that they are still free to live their rather comfortable lives and travel to around the world points to an unfortunate reality: it is extremely hard to prove conclusively that these individuals are guilty.
Facebook started its own investigation into the gang shortly after the Koobface worm first began to spread on the social network in 2008, and it took them only weeks to link the attacks to the suspects.
In 2009, independent researcher Jan Dr?Â¶mer mounted his own investigation. Starting with crucial information gleaned from one of the Koobface C&C servers and searching for links to it on the Internet – IP addresses, domain registration information, underground and legitimate forum posts, social network accounts and more – he made a beeline to the aforementioned group of individuals.
According to him, there is a variety of reasons behind the success of the Koobaface gang: they misused powerful online services to spread the worm, didn’t overdo on the size of the botnet, haven’t aimed at making the worm perfect but invested just enough revenue to earn more than enough money, and have operated in countries whose law enforcement agencies haven’t a good record when it comes to cooperating with their US and European counterparts.
Currently, none of the five individuals have been charged of crimes and no law enforcement agency has confirmed they are under investigation or even commented on the situation.
All who are interested in a fascinating blow-by-blow report of how Jan Dr?Â¶mer and SophosLabs’ Dirk Kollberg followed the crumbs to the suspected Koobface gang members – go here.