In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.
Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "Coreflood" prior to April 6, 2004, when the alleged theft took place.
Shortly after the wire transfer occurred, a sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining $70,000 was, however, frozen by Latvian banking authorities. Bank of America has since settled this case; neither side has revealed the terms.
"I had probably heard the news about Joe Lopez, but (until recently), I hadn't thought twice about the whole Coreflood episode of a few years ago," admitted Joe Stewart, director of Malware Research at SecureWorks, when I spoke to him at last summer's Black Hat conference in Las Vegas.
In particular, Stewart recalled hearing that the U.S. Secret Service had found evidence of Aflood or Coreflood on the Lopez computer.
"The Secret Service actually named Coreflood. That was very surprising. Normally, we don't get the final tally. We don't know who's account got stolen. It's very unusual to actually have a victim that is public, and everybody knows exactly what (was) taken."
Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart said Coreflood has a different agenda: "Its goal is to steal the data directly from users." The much more popular Storm botnet, he said, is more of a nuisance. "Coreflood has a real financial impact for people like Joe Lopez."
Who's behind Coreflood? Stewart declines to say, but in an interview in The New York Times, he suggested that the gang responsible was based somewhere in Russia. He would not tell me the name of the group because of ongoing criminal investigations.
In this video, Stewart talks about what first drew him to study the Coreflood botnet.
When Stewart heard about Lopez, he renewed his research on the Coreflood. With the help of Spamhaus, an antispam organization, Stewart and SecureWorks were able to gain cooperation from a Wisconsin-based provider of one of the command and control centers for the botnet. What he found was not only the bot's source code but also 50 gigabytes of compressed data, searchable in a MySQL database.
Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped life cycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.
The graph shows how one state policy agency was infected with Coreflood from April 2007 through January 2008.
(Credit: SecureWorks)Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.
"It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.
"So it's not so much a targeted attack," Stewart said. "But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company."
Later, the criminal gang responsible for the attack can find out which company it has infected by looking into the registry of the infected computer. "They pull out of the registry a separate request to say who is the registered owner the Windows license. They ship that information back up to the botnet controller."
Just looking at that one C&C server in Wisconsin, Stewart estimates that the gang responsible has infected more than 35,000 domains. It may sell those Web mail accounts to a spammer, because spammers love Web mail accounts. But over the years, Coreflood seems to have targeted only banks. Stewart knows this from the forensic evidence he's collected.
In this video, Stewart talks about digital forensics and what it can tell us about botnets such as Coreflood.
Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say, by a keylogging application. The Coreflood script will then capture the HTML data on the post-log-in page.
In most cases, that page also contains the account's bank balance. This is so that after running the test, the hackers have a picture of what the highest dollar amounts are, he said.
"I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account," he said. "We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first."
Coreflood does not take a screenshot, Stewart said, but rather scrapes the text out of the HTML. "When they run these tools, it leaves a log file behind, and all the post log-in (data)...are saved in that directory. So we have all of the account balances. So we can parse out what everyone's balance is and see actually how much (the thieves) had access to at any one institution."
In this video, Stewart talks about why Coreflood has been around since 2001, yet hardly anyone has been talking about it.
The problem is that Coreflood has been around since 2001.
"It's unique in that's been around for so long," Stewart said. Moreover, it's unusual that it seems to have been maintained by the same group, "not something that's been sold to another group," as is the case with some botnets.
The way it's managed to evade detection, Stewart said, is that it hasn't really crept high on anyone's list of botnets. "It's not on anyone's radar." Yet it's managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to these guys in Russia.
"To me, (Coreflood) is far more insidious because it doesn't get the attention," said Stewart. Unlike Storm, Coreflood is not constantly in your face. "You're not seeing new social-engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It's been quiet, and just does a few things, and tries not to garner any attention."
So the story of Lopez is significant. It's a tangible event about how online criminals are actually affecting people. It illustrates how much money got taken from an actual bank account, and the real impact on the victim's life. Unfortunately, there are many more botnets--and many more victims to talk about.
On Monday, SecureWorks released its analysis of the Coreflood Trojan, providing an inside look at a stealthy online predator.
According to a blog by Joe Stewart, director of malware research for SecureWorks, Coreflood started out as an IRC (Internet relay chat) botnet back in 2002. Coreflood--or AFcore, as the author refers to it within the code--is apparently viewed by its author as corporate software that can be tweaked as business needs change. For example, over the last six years, Coreflood has evolved from initiating distributed denial-of-service attacks to collecting IDs and passwords for bank fraud.
With the help of Spamhaus, an antispam organization, SecureWorks was able to gain cooperation from one of the command and control centers for Coreflood. What Stewart found was not only source code but 50 gigabytes of compressed data, searchable in a MySQL database.
Within was 378,758 unique bot IDs over a 16-month period. Logged was the time-stamped lifecycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.
The other find was that many computers within a single company would get infected. Not surprising in and of itself, however, the time stamp provides an insight into the growth of bots within corporate networks and government agencies.
The graph shows how a state policy agency was infected with Coreflood from April 2007 through January 2008.
(Credit: SecureWorks)What Stewart found by looking at the log files is that Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft. If the infected machine had administrator rights, the malicious file ie1823en.exe would be executed on every computer within that domain.
"Mitigating the problem of malware using domain administrator credentials is harder," wrote Stewart. "It is not really possible to disable this feature without removing the ability of authorized users to remotely administer workstations entirely (including the ability to push needed updates to all computers in the domain)." SecureWorks is aware of one other bot that uses this technique, and expects other bots to use it in the future.
Stewart concludes: "It falls upon the domain administrator to be aware of this tactic and be increasingly aware of the security of not only his/her workstation, but any workstation accessed with administrator credentials."
- prev
- 1
- next
