The Latest in IT Security

Who’s Behind the Koobface Botnet? – An OSINT Analysis

10
Jan
2012

It’s full disclosure time.

In this post, I will perform an OSINT analysis, exposing one of the key botnet masters behind the infamous Koobface botnet, that I have been extensively profiling and infiltrating since day one. I will include photos of the botnet master, his telephone numbers, multiple email addresses, license plate for a BMW, and directly connect him with the infrastructure — now offline or migrated to a different place — of Koobface 1.0.

The analysis is based on a single mistake that the botnet master made – namely using his personal email for registering a domain parked within Koobface’s command and control infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous fake Youtube page pushed by the Koobface botnet.

Let’s start from the basics. Here’s an excerpt from a previous research conducted on the Koobface botnet:



However, what the Koobface gang did was to register a new domain and use it as Koobface C&C again parked at the same IP, which remains active – zaebalinax.com Email: [email protected] – 78.110.175.15 – in particular zaebalinax.com/the/?pid=14010 which is redirecting to the Koobface botnet. Two more domains were also registered and parked there, u15jul .com and umidsummer .com – Email: [email protected] which remain in stand by mode at least for the time being.

The Koobface botnet master’s biggest mistake is using the Koobface infrastructure for hosting a domain that was registered with the botnet master’s personal email address. In this case that zaebalinax.com and [email protected] zaebalinax.com is literally translated to “Gave up on Linux”.

The same email kro[email protected] was used to advertise the sale of Egyptian Sphynx kittens on 05.09.2007:



The following telephone belonging to Anton was provided – +79219910190. The interesting part is that the same telephone was also used in another advertisement, this time for the sale of a BMW:



Photos of the BMW, offered for sale, by the same Anton that was using the Koobface infrastructure to host zaebalinax.com Email: [email protected]:


Upon further analysis, it becomes evident that his real name is Anton Nikolaevich Korotchenko (????? ?????????? ??????????). Here are more details of this online activities:

Real name: Anton Nikolaevich Korotchenko (????? ?????????? ??????????)
City of origin: St. Petersburg
Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343
Associated phone numbers obtained through OSINT analysis, not whois records:
+79219910190
+380505450601
050-545-06-01
ICQ – 444374
Emails: [email protected]
[email protected]
[email protected]
[email protected]
[email protected]
WM identification (WEB MONEY) : 425099205053
Twitter account: @KrotReal; @Real_Koobface
Flickr account: KrotReal

Photos of Koobface botnet’s master Anton Nikolaevich Korotchenko (????? ?????????? ??????????):



 Also, a chat log from 2003, identifies KrotReal while he’s using the following IP –  [email protected]

How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? By personalizing cybercrime.

Go through previous research conducted on the Koobface botnet:
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
The Koobface Gang Wishes the Industry “Happy Holidays”
Koobface Gang Responds to the “10 Things You Didn’t Know About the Koobface Gang Post”
10 things you didn’t know about the Koobface gang
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet’s Scareware Business Model – Part Two
Koobface Botnet’s Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD – AS29550 – (Finally) Taken Offline
Dissecting Koobface Gang’s Latest Facebook Spreading Campaign
Koobface – Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm’s Twitter Campaign
Koobface Botnet Redirects Facebook’s IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front – Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm’s December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

Leave a reply


Categories

FRIDAY, MAY 24, 2019
WHITE PAPERS

Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...

Featured

Archives

Latest Comments

Social Networks