Search My Blog

Thursday, April 28, 2011

The "New" Coreflood Botnet Trojan, is actually, Not New at all.

The "New" Coreflood Botnet Trojan, is actually, Not New at all. According to Joe Stewart Director of Mallware Research - Secureworks. At Black Hat 2008, Joe spoke of Coreflood. He first encountered Coreflood in 2003 and started studying it then. He also stated in another Video, that Coreflood has likely been around since 2001 according to comments in it's own code...

What is new though, is the way that the Feds are going about fighting this Trojan. Which has infected, according to one estimate, One Million Window PC's. Read more and See the Videos Below...

See the mouse arrow in the Screen Shot of Joe being interviewed, to see where to fast forward to in the 2nd Video, where he talks about Coreflood. Black Hat 2008: Storm BotNet UpdateFrom Joe Stewart (or just watch it all).

There are several Interesting Videos on Coreflood and other Mallware and Trojans Blow...

Don

Federal government shuts down massive botnet run out of North Texas and elsewhere, substitutes its own servers for bad guys' servers to identify victims and send warnings to ISPs

By

Victor Godinez/Reporter

vgodinez@dallasnews.com | Bio

10:57 AM on Thu., Apr. 14, 2011 | Permalink

Botnets are nothing new. But the feds are responding to the latest, dubbed Coreflood, in a new way that involves replacing the bad guys' servers with their own and identifying each individual infected computer.
Botnets, as a reminder, are massive computer networks made up of systems that have been hacked by criminals, often using automated software. Getting infected with botnet software could be one consequence of clicking on one of the Epsilon emails, for example.
The botnets can be used either to steal money and personal data from individual users of each system, or to orchestrate larger attacks against the computer systems of companies and government agencies.
In this case, the Coreflood Botnet seemed to be about stealing money from individual users as well as companies, according to a Justice Department temporary restraining order filed in the U.S. district court in Connecticut on Tuesday. (Hat tip to Cnet for all the links.)
From a DoJ press release issued yesterday:

According to court filings, Coreflood is a particularly harmful type of malicious software that records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, known as a command and control (C & C) server. A computer infected by Coreflood and subject to remote control is referred to as a "bot," short for "robot." According to information contained in court filings, the group of all computers infected with Coreflood is known as the Coreflood botnet, which is believed to have been operating for nearly a decade and to have infected more than two million computers worldwide.
Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user's bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.

More from...
http://www.justice.gov/opa/pr/2011/April/11-crm-466.html

The botnet is a network of hundreds of thousands of computers infected with a malicious software program known as Coreflood, which installs itself by exploiting a vulnerability in computers running Windows operating systems. Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.

The Department of Justice strongly encourages computer users to ensure they are using security software on their computers and that users regularly update their security and routinely scan their computers for viruses. To learn more about what you can do to protect your computer, including how to download and receive updates on security vulnerabilities, the public may go to the following sites operated by U.S. Computer Emergency Readiness Team (CERT) and the Federal Trade Commission, respectively: us-cert.gov/nav/nt01 and onguardonline.gov/topics/malware.aspx .

The U.S. Attorney’s Office for the District of Connecticut has filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications. In addition, search warrants were obtained for computer servers throughout the country , and a seizure warrant was obtained in U.S. District Court for the District of Connecticut for 29 domain names. Finally, the government obtained a temporary restraining order (TRO), authorizing the government to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.
Read More...
http://techblog.dallasnews.com/archives/2011/04/federal-government-shuts-down.html

FBI Take Down: Coreflood Bot-Net

Video Link....
http://www.youtube.com/watch?v=c-7fGJTd2es

Black Hat 2008: Storm BotNet UpdateFrom Joe Stewart

Video Link...
http://www.youtube.com/watch?v=rIZS_zxHkHY

Joe Stewart on the CoreFlood botnet

Video Link...
http://www.youtube.com/watch?v=IpHzi2ZlpHU

Joe Stewart on the forensic exam of CoreFlood

Video Link...
http://www.youtube.com/watch?v=93L8QmhJWpc&feature=related

Joe Stewart on the stealth botnet CoreFlood

Video Link...

http://www.youtube.com/watch?v=57Fm07pfG38

Cyber Threat Report

Cyber Threat Report for April 14, 2011

04.18.11

The AT&T Malware team discusses the Coreflood Takedown, Microsoft Patch Tuesday, the new Adobe patch and recent Internet activity anomalies.

Tags:

Cyber Threat Report Security Malware Vulnerabilities Patch Coreflood Internet Microsoft Adobe

Video Link...

http://techchannel.att.com/play-video.cfm/2011/4/18/Internet-Threat-Report-Internet-Threat-Report-for-April-14-2011

DEFCON 16: Malware RCE: Debuggers and Decryptor Development

Video Link...
http://www.youtube.com/watch?v=OZzu4JLPoUs

FBI takes on Coreflood botnet - but is this a step too far?

by Paul Ducklin on April 28, 2011 | Comments (9)

Filed Under: Featured, Law & order, Malware, Privacy

Quote...
When infected PCs connected to the surrogate, the cops instructed the bot process to terminate, providing that the PC appeared to be in the US, and thus under their jurisdiction.
What made this court order a first in the US is that it gave law enforcement permission to interfere directly with computers belonging to users who weren't being investigated, or charged with any crime.
The motivation for this novelty was that the Coreflood bot family is notorious for exfiltrating data from infected PCs. As the FBI's Temporary Restraining Order puts it, Coreflood sets out:

to commit wire fraud and bank fraud in violation of Title 18, United States Code, Sections 1343 and 1344, and to engage in unauthorized interception of electronic communications in violation of Title 18, United States Code, Section 2511.

But the Electronic Frontier Foundation (EFF), a worldwide privacy advocacy group, expressed concerns about this sort of legally-endorsed interference. In particular, the EFF pointed out that there is something unappealing about sending commands of any sort to unknown malicious code on someone else's computer without their explicit permission.
This may sound like a petty objection - and perhaps, in the real world, it is - but unless you know exactly which variant of the bot is on each PC, there is always a potential risk with trying to use a bot against itself. What if the crooks have deliberately rewired the "stop" command to carry out a "format hard drive" operation instead?
Nevertheless, the FBI went ahead, and the exercise seems to have been a success. So much so, in fact, that the cops went back to court over the weekend to ask for the two-week court order to be extended for a further month.

Read More...
http://nakedsecurity.sophos.com/2011/04/28/fbi-takes-on-coreflood-botnet-step-too-far/