It’s full disclosure time.
In this post, I will perform an OSINT analysis, exposing one of the key botnet masters behind the infamous Koobface botnet, that I have been extensively profiling and infiltrating since day one. I will include photos of the botnet master, his telephone numbers, multiple email addresses, license plate for a BMW, and directly connect him with the infrastructure — now offline or migrated to a different place — of Koobface 1.0.
The analysis is based on a single mistake that the botnet master made – namely using his personal email for registering a domain parked within Koobface’s command and control infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous fake Youtube page pushed by the Koobface botnet.
Let’s start from the basics. Here’s an excerpt from a previous research conducted on the Koobface botnet:
However, what the Koobface gang did was to register a new domain and use it as Koobface C&C again parked at the same IP, which remains active – zaebalinax.com Email: [email protected] – 18.104.22.168 – in particular zaebalinax.com/the/?pid=14010 which is redirecting to the Koobface botnet. Two more domains were also registered and parked there, u15jul .com and umidsummer .com – Email: [email protected] which remain in stand by mode at least for the time being.
The Koobface botnet master’s biggest mistake is using the Koobface infrastructure for hosting a domain that was registered with the botnet master’s personal email address. In this case that zaebalinax.com and [email protected] zaebalinax.com is literally translated to “Gave up on Linux”.
Photos of the BMW, offered for sale, by the same Anton that was using the Koobface infrastructure to host zaebalinax.com Email: [email protected]:
Real name: Anton Nikolaevich Korotchenko (????? ?????????? ??????????)
City of origin: St. Petersburg
Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343
Associated phone numbers obtained through OSINT analysis, not whois records:
ICQ – 444374
Emails: [email protected]
WM identification (WEB MONEY) : 425099205053
Twitter account: @KrotReal; @Real_Koobface
Flickr account: KrotReal
Photos of Koobface botnet’s master Anton Nikolaevich Korotchenko (????? ?????????? ??????????):
How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? By personalizing cybercrime.
Go through previous research conducted on the Koobface botnet:
Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova
The Koobface Gang Wishes the Industry “Happy Holidays”
Koobface Gang Responds to the “10 Things You Didn’t Know About the Koobface Gang Post”
10 things you didn’t know about the Koobface gang
How the Koobface Gang Monetizes Mac OS X Traffic
Koobface Botnet’s Scareware Business Model – Part Two
Koobface Botnet’s Scareware Business Model
From the Koobface Gang with Scareware Serving Compromised Site
Koobface Botnet Starts Serving Client-Side Exploits
Koobface-Friendly Riccom LTD – AS29550 – (Finally) Taken Offline
Dissecting Koobface Gang’s Latest Facebook Spreading Campaign
Koobface – Come Out, Come Out, Wherever You Are
Dissecting Koobface Worm’s Twitter Campaign
Koobface Botnet Redirects Facebook’s IP Space to my Blog
Koobface Botnet Dissected in a TrendMicro Report
Massive Scareware Serving Blackhat SEO, the Koobface Gang Style
Movement on the Koobface Front – Part Two
Movement on the Koobface Front
Dissecting the Koobface Worm’s December Campaign
The Koobface Gang Mixing Social Engineering Vectors
Dissecting the Latest Koobface Facebook Campaign
Leave a reply