Dancho Danchev unmasks man behind the Koobface Botnet

I direct you to an enlightening post by security researcher Dancho Danchev regarding the anatomy of Koobface.

Danchev says he has exposed one of the key botnet masters behind the notorious botnet, which has been targeting social network users for about four years now. Koobface (an anagram for Facebook) has spread over the social networking world like a radioactive cloud by pretending to be the infected user on social networks, prompting friends to download an update to their Flash player in order to view a video. The update is a copy of the virus.

It's the first botnet to recruit its Zombie computers across multiple social networks (Facebook, MySpace, hi5, Bebo, Friendster, etc). Today, it is estimated that at any time, over 500,000 Koobface zombies are online at the same time.

Danchev writes the following about this beast:

The analysis is based on a single mistake that the botnet master made - namely using his personal email for registering a domain parked within Koobface's command and control infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous fake Youtube page pushed by the Koobface botnet.

The Koobface botnet master's biggest mistake is using the Koobface infrastructure for hosting a domain that was registered with the botnet master's personal email address. In this case that zaebalinax.com and krotreal@gmail.com. zaebalinax.com is literally translated to "Gave up on Linux".

The same email krotreal@gmail.com was used to advertise the sale of Egyptian Sphynx kittens on 05.09.2007. (The email was signed by "Andre.")

The following telephone belonging to Anton was provided - +79219910190. The interesting part is that the same telephone was also used in another advertisement, this time for the sale of a BMW.

Upon further analysis, it becomes evident that his real name is Anton Nikolaevich Korotchenko (????? ?????????? ??????????). Here are more details of this online activities:

Real name: Anton Nikolaevich Korotchenko (????? ?????????? ??????????)

City of origin: St. Petersburg

Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343

Associated phone numbers obtained through OSINT analysis, not whois records:




ICQ - 444374

Emails: krotreal@yahoo.com





WM identification (WEB MONEY) : 425099205053

Twitter account: @KrotReal; @Real_Koobface

Flickr account: KrotReal

Danchev did some excellent work here. Hats off to him.

The most amazing thing to me is how exposed this botnet herder left himself by making his email and telephone number so easy to find.

When someone does that, they are usually looking for attention, which flies in the face of the typical botnet herder who sits in the shadows and collects the stolen goods their zombies bring back.

That's conjecture on my part, though. Read Danchev's full post, look at the screen shots and photos, then draw your own conclusions.

This isn't the first extensive research on Koobface, of course. In October 2009, Trend Micro researchers released a report making the following conclusions:

We are going against cybercriminals who are human, too. They can also adapt to changes and learn from their mistakes. They have the ability to observe the environment they operate on and make

decisions as to how they will proceed.

To date, the KOOBFACE gang has already been able to:

• Design and implement a robust Trojan downloader that serves as a platform for subsequent updates

• Modify the C&C infrastructure to make it takedown proof and to make C&C discovery a little bit harder than before

• Become more aware of how social networking sites operate, which enabled them to create propagation components that target specific social networking sites

• Realize the potential of harvesting user profile information and duly implementing an information-stealing routine

• Implement a cost-effective CAPTCHA-solving routine based on pure social engineering rather than developing expensive computer-automated CAPTCHA solvers

• Use infected machines as Web proxies that provide a layer of obfuscation for the C&C

• Leverage free Web hosting and compromised sites to lessen the probability of having their malicious URLs tagged as “spam”

• Circumvent the URL-filtering capability of social networking sites

--Bill Brenner

one-stop view of latest business threats. We created it for you! Bookmark it! Use it!

CSO's Daily Dashboard gives you a

Copyright © 2012 IDG Communications, Inc.

How to choose a SIEM solution: 11 key features and considerations