Koobface and the trials of security research

The problems, risks and frustrations involved in security research have been laid bare over the past week, after first an independent researcher, then the New York Times and finally security vendor Sophos decided to go public with information on the identities of five men suspected of masterminding the Koobface botnet.

In a detailed blog post on Tuesday, Sophos published an analysis of the research that led to the discovery of the men's identities, under the name of one of its researchers, Dirk Kollberg, and an independent, Jan Dromer.

Not credited, however, was the Trend Micro team, particularly Jonell Baltazar, Joey Costoya and Ryan Flores, key members of the cross-industry Koobface Taskforce, which has monitored and reported on the workings of Koobface since its discovery in 2008, according to the vendor's EMEA director of security research, Rik Ferguson.

Could Sophos be trying to steal the security thunder for itself here? Well, the industry collaborators involved in the project, including Trend Micro, Facebook's security team and others, are only briefly mentioned at the end of the article.

If anyone believed 2012 was set to usher in a new era of co-operation between security teams on different sides in a bid to snuff out the threat of a common enemy, well, they may be disappointed.

Perhaps more disappointing, however, is the actions of the lone security researcher who first revealed the findings of the group last week.

"The evidence had been in the hands of law enforcement on an on-going basis. It's never advisable to expose evidence until law enforcement has taken action, like with the Esthosts take-down," Ferguson told V3.

Whether those involved have now gone to ground and covered their tracks remains to be seen, but they have already proved themselves to be canny operators in the way they propagated the worm and monetised their malware, he added.

"Any criminal knows they are under investigation, so they are constantly shifting and adapting their techniques and methodologies," said Ferguson. "They have been very good at trying to remain undetected and adapting their technologies as time goes by."

Ferguson has published a full blog post on Trend Micro's input into the project.