The crew behind the Koobface worm, who have been quite open about their exploits and financial gains from their work in the past, now seem to be ducking underground as pressure is building on them in the wake of exposures of their operation and real identities. The command-and-control server used to run the Koobface botnet, known as the Mothership, is now offline and new infections seem to have dropped off, experts say.
Several reports this week have named the alleged operators of the Koobface botnet as a small group of Russian men living in and around St. Petersburg. The identities of the men have been known to security researchers tracking Koobface for some time now, and the researchers have had a good handle on how the group operates, makes its money and infects users, as well. Mostly, the group made money through click fraud and pay-per-click schemes that are predicated upon victims installing a piece of malware that masquerades as a new version of Adobe Flash that the user must install in order to watch a funny video that, of course, doesn't exist.
Security officials at Facebook have been tracking the activities of the Koobface gang, as the social networking site has been the main infection vector for the malware. This week the company, along with some other researchers, published the names of the people they believe to be responsible for the Koobface infections. Within a day or so of the disclosures, the alleged attackers had begun cleaning up their operation and covering the tracks they've been leaving all over the Internet for the last few years. Prior to that, the group had been rather careless about trying to throw researchers and investigators off the scent, and researchers were able to track them through social media profiles and posts and had access to their C&C server for some time, as well.
Continued : http://threatpost.com/en_us/blogs/koobface-gang-shuts-down-cc-server-drops-offline-011912
Koobface gang turns off command servers, as Russian police explain lack of action
Koobface C&C goes silent after alleged controllers exposed
Koobface botnet goes down, suspects scurry to erase tracks