Security

In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.

Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "Coreflood" prior to April 6, 2004, when the alleged theft took place.

Shortly after the wire transfer occurred, a sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining $70,000 was, however, frozen by Latvian banking authorities. Bank of America has since settled this case; neither side has revealed the terms.

"I had probably heard the news about Joe Lopez, but (until recently), I hadn't thought twice about the whole Coreflood episode of a few years ago," admitted Joe Stewart, director of Malware Research at SecureWorks, when I spoke to him at last summer's Black Hat conference in Las Vegas.

In particular, Stewart recalled hearing that the U.S. Secret Service had found evidence of Aflood or Coreflood on the Lopez computer.

"The Secret Service actually named Coreflood. That was very surprising. Normally, we don't get the final tally. We don't know who's account got stolen. It's very unusual to actually have a victim that is public, and everybody knows exactly what (was) taken."

Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart said Coreflood has a different agenda: "Its goal is to steal the data directly from users." The much more popular Storm botnet, he said, is more of a nuisance. "Coreflood has a real financial impact for people like Joe Lopez."

Who's behind Coreflood? Stewart declines to say, but in an interview in The New York Times, he suggested that the gang responsible was based somewhere in Russia. He would not tell me the name of the group because of ongoing criminal investigations.

In this video, Stewart talks about what first drew him to study the Coreflood botnet.

When Stewart heard about Lopez, he renewed his research on the Coreflood. With the help of Spamhaus, an antispam organization, Stewart and SecureWorks were able to gain cooperation from a Wisconsin-based provider of one of the command and control centers for the botnet. What he found was not only the bot's source code but also 50 gigabytes of compressed data, searchable in a MySQL database.

Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped life cycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.

The graph shows how one state policy agency was infected with Coreflood from April 2007 through January 2008.

(Credit: SecureWorks)

Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.

"It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.

"So it's not so much a targeted attack," Stewart said. "But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company."

Later, the criminal gang responsible for the attack can find out which company it has infected by looking into the registry of the infected computer. "They pull out of the registry a separate request to say who is the registered owner the Windows license. They ship that information back up to the botnet controller."

Just looking at that one C&C server in Wisconsin, Stewart estimates that the gang responsible has infected more than 35,000 domains. It may sell those Web mail accounts to a spammer, because spammers love Web mail accounts. But over the years, Coreflood seems to have targeted only banks. Stewart knows this from the forensic evidence he's collected.

In this video, Stewart talks about digital forensics and what it can tell us about botnets such as Coreflood.

Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say, by a keylogging application. The Coreflood script will then capture the HTML data on the post-log-in page.

In most cases, that page also contains the account's bank balance. This is so that after running the test, the hackers have a picture of what the highest dollar amounts are, he said.

"I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account," he said. "We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first."

Coreflood does not take a screenshot, Stewart said, but rather scrapes the text out of the HTML. "When they run these tools, it leaves a log file behind, and all the post log-in (data)...are saved in that directory. So we have all of the account balances. So we can parse out what everyone's balance is and see actually how much (the thieves) had access to at any one institution."

In this video, Stewart talks about why Coreflood has been around since 2001, yet hardly anyone has been talking about it.

The problem is that Coreflood has been around since 2001.

"It's unique in that's been around for so long," Stewart said. Moreover, it's unusual that it seems to have been maintained by the same group, "not something that's been sold to another group," as is the case with some botnets.

The way it's managed to evade detection, Stewart said, is that it hasn't really crept high on anyone's list of botnets. "It's not on anyone's radar." Yet it's managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to these guys in Russia.

"To me, (Coreflood) is far more insidious because it doesn't get the attention," said Stewart. Unlike Storm, Coreflood is not constantly in your face. "You're not seeing new social-engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It's been quiet, and just does a few things, and tries not to garner any attention."

So the story of Lopez is significant. It's a tangible event about how online criminals are actually affecting people. It illustrates how much money got taken from an actual bank account, and the real impact on the victim's life. Unfortunately, there are many more botnets--and many more victims to talk about.

(Credit: Adobe)

Updated 10:50 a.m. PT with Adobe releasing update and link.

A critical security hole in Adobe Reader could allow an attacker to take control of a computer, according to Core Security Technologies.

The vulnerability affects version 8.1.2 of Reader, Core Security said in a statement issued on Tuesday to coincide with Adobe's planned release of a security update to fix the vulnerability.

The security bulletin was posted early on Tuesday. "Adobe is not aware of any reports of these issues being exploited in the wild," the company wrote in a security blog posting.

An attacker could put malicious code in JavaScript embedded in a PDF and spread that via a Web site or e-mail, Core Security said. Once the file is opened, the code could manipulate the program's memory allocation pattern and trigger the vulnerability to execute arbitrary code with the privileges of the user.

Damian Frizza, a CoreLabs researcher, discovered the vulnerability in May while he was investigating a similar vulnerability in a different PDF viewer application called Foxit Reader. Core Security immediately reported the new hole to Adobe.

The complexity of desktop software increases the chances of applications having bugs that result from the implementation of the software, said Ivan Arce, chief technology officer of Core Security.

"We've seen similar vulnerabilities in JavaScript engines in Adobe software in the past and in other applications," he said. "It's difficult to avoid implementation bugs like this one."

The fact that both PDF Readers have the same bug indicates that even though vendors are building products with different technologies and code bases, they ought to check for such bugs in their applications when rival software is found to be vulnerable, Arce said.

On Tuesday, Apple released iPod Touch version 2.1 to address several security issues. Among them are the DNS vulnerabilities first reported by Dan Kaminsky of IOActive in July. Other issues include vulnerabilities in Webkit, CoreGraphics, and the Application Sandbox.

Earlier on Tuesday, Apple released updates to its QuickTime media player.

Apple notes that this update is only available through iTunes as part of the iPod Touch updating process and will not appear in your computer's Software Update application, nor can it be found on the Apple Downloads site.

Application Sandbox
This patch affects users of iPod Touch v2.0 through v2.0.2. The update addresses the information disclosure vulnerability detailed within CVE-2008-3631. Apple says "the Application Sandbox does not properly enforce access restrictions between third-party applications. This may allow a third-party application to read files in another third-party application's sandbox and lead to the disclosure of sensitive information." Apple credits Nicolas Seriot of Sen:te and Bryce Cogswell for reporting the vulnerability. This issue does not affect iPod Touch versions prior to v2.0.

CoreGraphics
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses the FreeType v2.3.5 vulnerabilities within CVE-2008-1806, CVE-2008-1807, CVE-2008-1808. Apple says the most serious of these vulnerabilities may lead to arbitrary code execution when accessing maliciously crafted font data.

mDNSResponder
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses the cache poisoning vulnerability within CVE-2008-1447. Apple explains that mDNSResponder provides translation between host names and IP addresses for applications that use its unicast DNS resolution API. A weakness in the DNS protocol may allow a remote attacker to perform DNS cache poisoning attacks. As a result, applications that rely on mDNSResponder for DNS may receive forged information.

Networking
This patch affects users of CVE-2008-3612. The update addresses the memory corruption issue vulnerability details within CVE-2008-3626. Apple says the TCP initial sequence numbers are sequentially generated. Predictable initial sequence numbers may allow a remote attacker to create a spoofed TCP connection or insert data into an existing TCP connection.

WebKit
This patch affects users of iPod Touch v1.1 through v2.0.2. The update addresses a vulnerability detailed within CVE-2008-3632. Apple says that a use-after-free issue exists in WebKit's handling of CSS import statements. Visiting a maliciously crafted Web site may lead to an unexpected application termination or arbitrary code execution.