It's full disclosure time.
In this post, I will perform an OSINT analysis, exposing one of the key botnet masters behind the infamous Koobface botnet, that I have been
extensively profiling and infiltrating since day one. I will include photos of the botnet master, his telephone numbers, multiple email addresses, license plate for a BMW, and directly connect him with the infrastructure -- now offline or migrated to a different place -- of Koobface 1.0.
The analysis is based on a single mistake that the botnet master made - namely using his personal email for registering a domain parked within Koobface's command and control infrastructure, that at a particular moment in time was directly redirecting to the ubiquitous fake Youtube page pushed by the Koobface botnet.
Let's start from the basics. Here's an excerpt from a
previous research conducted on the Koobface botnet:
However, what the Koobface gang did was to register a new domain and use it as Koobface C&C again parked at the same IP, which remains active - zaebalinax.com Email: krotreal@gmail.com - 78.110.175.15 - in particular zaebalinax.com/the/?pid=14010 which is redirecting to the Koobface botnet. Two more domains were also registered and parked there, u15jul .com and umidsummer .com - Email: 2009polevandrey@mail.ru which remain in stand by mode at least for the time being.The Koobface botnet master's biggest mistake is using the Koobface infrastructure for hosting a domain that was registered with the botnet master's personal email address. In this case that
zaebalinax.com and
krotreal@gmail.com. zaebalinax.com is literally translated to "
Gave up on Linux".
UPDATED: Multiple readers have to contacted me to point out that zaebalinax is actually translated to "
f*ck you all" or "
you all are p*ssing me off".
The same email
krotreal@gmail.com was used to
advertise the sale of Egyptian Sphynx kittens on 05.09.2007:
The following telephone belonging to Anton was provided -
+79219910190. The interesting part is that the same telephone was also used in
another advertisement, this time for the sale of a BMW:
Photos of the BMW, offered for sale, by the same Anton that was using the Koobface infrastructure to host
zaebalinax.com Email: krotreal@gmail.com:
License plane for Anton's newest BMW:
Upon further analysis, it becomes evident that his real name is
Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко). Here are more details of this online activities:
Real name: Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко)
City of origin: St. Petersburg
Primary address: Omskaya st. 26-61; St. Petersburg; Leningradskaya oblast,197343
Associated phone numbers obtained through OSINT analysis, not whois records:+79219910190
+380505450601
050-545-06-01
ICQ - 444374
Emails: krotreal@yahoo.com
krotreal@gmail.com
krotreal@mail.ru
krotreal@livejournal.com
newfider@rambler.ru
WM identification (WEB MONEY) : 425099205053
Twitter account: @KrotReal;
@Real_KoobfaceFlickr account: KrotRealVkontakte.ru Account:
KrotReal;
tonystarx Foursquare Account: KrotRealPhotos of Koobface botnet's master Anton Nikolaevich Korotchenko (Антон Николаевич Коротченко):
Also,
a chat log from 2003, identifies KrotReal while he's using the following IP -
krotreal@ip-534.dialup.cl.spb.ru How do you trigger a change that would ultimately affect the entire cybercrime ecosystem? By personalizing cybercrime. Go through previous research conducted on the Koobface botnet:Koobface Redirectors and Scareware Campaigns Now Hosted in Moldova The Koobface Gang Wishes the Industry "Happy Holidays"Koobface Gang Responds to the "10 Things You Didn't Know About the Koobface Gang Post"10 things you didn't know about the Koobface gangHow the Koobface Gang Monetizes Mac OS X TrafficKoobface Botnet's Scareware Business Model - Part TwoKoobface Botnet's Scareware Business ModelFrom the Koobface Gang with Scareware Serving Compromised SiteKoobface Botnet Starts Serving Client-Side ExploitsKoobface-Friendly Riccom LTD - AS29550 - (Finally) Taken OfflineDissecting Koobface Gang's Latest Facebook Spreading CampaignKoobface - Come Out, Come Out, Wherever You AreDissecting Koobface Worm's Twitter CampaignKoobface Botnet Redirects Facebook's IP Space to my BlogKoobface Botnet Dissected in a TrendMicro ReportMassive Scareware Serving Blackhat SEO, the Koobface Gang StyleMovement on the Koobface Front - Part TwoMovement on the Koobface FrontDissecting the Koobface Worm's December CampaignThe Koobface Gang Mixing Social Engineering VectorsDissecting the Latest Koobface Facebook CampaignThis post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.
