• On CHOW: Can girls use the guys' bathroom?

Defense in Depth

Read all 'AFCore' posts in Defense in Depth
June 30, 2008 3:36 PM PDT

SecureWorks unmasks the Coreflood Trojan

by Robert Vamosi
  • 1 comment

On Monday, SecureWorks released its analysis of the Coreflood Trojan, providing an inside look at a stealthy online predator.

According to a blog by Joe Stewart, director of malware research for SecureWorks, Coreflood started out as an IRC (Internet relay chat) botnet back in 2002. Coreflood--or AFcore, as the author refers to it within the code--is apparently viewed by its author as corporate software that can be tweaked as business needs change. For example, over the last six years, Coreflood has evolved from initiating distributed denial-of-service attacks to collecting IDs and passwords for bank fraud.

With the help of Spamhaus, an antispam organization, SecureWorks was able to gain cooperation from one of the command and control centers for Coreflood. What Stewart found was not only source code but 50 gigabytes of compressed data, searchable in a MySQL database.

Within was 378,758 unique bot IDs over a 16-month period. Logged was the time-stamped lifecycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.

The other find was that many computers within a single company would get infected. Not surprising in and of itself, however, the time stamp provides an insight into the growth of bots within corporate networks and government agencies.

The graph shows how a state policy agency was infected with Coreflood from April 2007 through January 2008.

(Credit: SecureWorks)

What Stewart found by looking at the log files is that Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft. If the infected machine had administrator rights, the malicious file ie1823en.exe would be executed on every computer within that domain.

"Mitigating the problem of malware using domain administrator credentials is harder," wrote Stewart. "It is not really possible to disable this feature without removing the ability of authorized users to remotely administer workstations entirely (including the ability to push needed updates to all computers in the domain)." SecureWorks is aware of one other bot that uses this technique, and expects other bots to use it in the future.

Stewart concludes: "It falls upon the domain administrator to be aware of this tactic and be increasingly aware of the security of not only his/her workstation, but any workstation accessed with administrator credentials."

Topics:
Security
Tags:
security,
SecureWorks,
Joe Stewart,
CoreFlood,
AFCore
Share:
Digg
Del.icio.us
Reddit
  • prev
  • 1
  • next
advertisement

Google's mobile hopes go beyond Nexus One

The world may have thrilled to the potential for a Google Phone, but what Google actually unveiled is its plan for a new smartphone world order.
• Photos: Unboxing Nexus One

Using your smartphone safely

faq Worms, Trojans, and SMS attacks are risks for mobile phones, but the biggest practical threat to users is losing the device.

About Defense in Depth

Covering computer viruses and computer crime, Robert Vamosi goes beyond the hype to provide you with expert interviews of the top security researchers, as well as offering the hands-on, nontechnical advice you'll need to stay safe online.

Add this feed to your online news reader

Defense in Depth topics

Most Discussed



advertisement

Inside CNET News

Scroll Left Scroll Right
News
News site map
Latest headlines
Contact News
News staff
Corrections
CNET blogs
Popular topics
Apple iPhone
Apple iPod
Cell phones
CES 2010
GPS
LCD TV
CNET sites
CNET Site map
CNET TV
Downloads
News
Reviews
Shopper.com
More information
Newsletters
CNET Mobile
Customer Help Center
RSS
CNET Widgets
About CNET