Command and control (C&C) servers used by owners of the Koobface botnet have reportedly stopped responding following an investigation this week.
According to Sophos, the C&C servers were switched off on Tuesday morning after the report was released, and individuals alleged to have been behind the Facebook worm have been deleting their profiles on social networks.
Talking to Reuters, Facebook chief security officer Joe Sullivan said he had endorsed the report's release because he felt the exposure might disrupt the group. The two German researchers behind the report, Jan Droemer and Dirk Kollberg, said they suspected that the hackers had been working out of a location in St Petersburg and they had planned to hold off publishing their data until the police had captured them.
Russia's anti-cyber-crime unit, the Interior Ministry's K Directorate, said it has yet to investigate the matter because it has not been asked to. Larisa Zhukova, a representative at the unit, told Reuters: “An official request needs to be filed to the K Directorate first, and when it's filed, we will certainly investigate and work on it.
“The request must come from the victim, that is Facebook. Because anyone can say or write anything, but it is all unfounded so far. Even if it turns into a criminal case, the investigative unit will decide on possible charges. It is hard to hypothesise on a possible sentence right now.”
Sullivan welcomed the dialogue on the challenges of cross-border enforcement. He said: “Ultimately, the goal here is to have an impact. As a security team, we don't have the luxury that every case ends in an arrest.”
Koobface primarily distributed videos and malicious links through Facebook and other social networking sites, storing a user's login details and distributing links to their friends. Research by Kaspersky Lab in 2010 found that Koobface is able to double its number of C&C servers in a 48-hour period.