In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.
Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "Coreflood" prior to April 6, 2004, when the alleged theft took place.
Shortly after the wire transfer occurred, a sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining $70,000 was, however, frozen by Latvian banking authorities. Bank of America has since settled this case; neither side has revealed the terms.
"I had probably heard the news about Joe Lopez, but (until recently), I hadn't thought twice about the whole Coreflood episode of a few years ago," admitted Joe Stewart, director of Malware Research at SecureWorks, when I spoke to him at last summer's Black Hat conference in Las Vegas.
In particular, Stewart recalled hearing that the U.S. Secret Service had found evidence of Aflood or Coreflood on the Lopez computer.
"The Secret Service actually named Coreflood. That was very surprising. Normally, we don't get the final tally. We don't know who's account got stolen. It's very unusual to actually have a victim that is public, and everybody knows exactly what (was) taken."
Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart said Coreflood has a different agenda: "Its goal is to steal the data directly from users." The much more popular Storm botnet, he said, is more of a nuisance. "Coreflood has a real financial impact for people like Joe Lopez."
Who's behind Coreflood? Stewart declines to say, but in an interview in The New York Times, he suggested that the gang responsible was based somewhere in Russia. He would not tell me the name of the group because of ongoing criminal investigations.
In this video, Stewart talks about what first drew him to study the Coreflood botnet.
When Stewart heard about Lopez, he renewed his research on the Coreflood. With the help of Spamhaus, an antispam organization, Stewart and SecureWorks were able to gain cooperation from a Wisconsin-based provider of one of the command and control centers for the botnet. What he found was not only the bot's source code but also 50 gigabytes of compressed data, searchable in a MySQL database.
Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped life cycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.
The graph shows how one state policy agency was infected with Coreflood from April 2007 through January 2008.
(Credit: SecureWorks)Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.
"It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.
"So it's not so much a targeted attack," Stewart said. "But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company."
Later, the criminal gang responsible for the attack can find out which company it has infected by looking into the registry of the infected computer. "They pull out of the registry a separate request to say who is the registered owner the Windows license. They ship that information back up to the botnet controller."
Just looking at that one C&C server in Wisconsin, Stewart estimates that the gang responsible has infected more than 35,000 domains. It may sell those Web mail accounts to a spammer, because spammers love Web mail accounts. But over the years, Coreflood seems to have targeted only banks. Stewart knows this from the forensic evidence he's collected.
In this video, Stewart talks about digital forensics and what it can tell us about botnets such as Coreflood.
Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say, by a keylogging application. The Coreflood script will then capture the HTML data on the post-log-in page.
In most cases, that page also contains the account's bank balance. This is so that after running the test, the hackers have a picture of what the highest dollar amounts are, he said.
"I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account," he said. "We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first."
Coreflood does not take a screenshot, Stewart said, but rather scrapes the text out of the HTML. "When they run these tools, it leaves a log file behind, and all the post log-in (data)...are saved in that directory. So we have all of the account balances. So we can parse out what everyone's balance is and see actually how much (the thieves) had access to at any one institution."
In this video, Stewart talks about why Coreflood has been around since 2001, yet hardly anyone has been talking about it.
The problem is that Coreflood has been around since 2001.
"It's unique in that's been around for so long," Stewart said. Moreover, it's unusual that it seems to have been maintained by the same group, "not something that's been sold to another group," as is the case with some botnets.
The way it's managed to evade detection, Stewart said, is that it hasn't really crept high on anyone's list of botnets. "It's not on anyone's radar." Yet it's managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to these guys in Russia.
"To me, (Coreflood) is far more insidious because it doesn't get the attention," said Stewart. Unlike Storm, Coreflood is not constantly in your face. "You're not seeing new social-engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It's been quiet, and just does a few things, and tries not to garner any attention."
So the story of Lopez is significant. It's a tangible event about how online criminals are actually affecting people. It illustrates how much money got taken from an actual bank account, and the real impact on the victim's life. Unfortunately, there are many more botnets--and many more victims to talk about.
What if you wanted to build your own botnet to act as a spam relay or to launch a denial-of-service attack against an organization or a country? "It's actually a lot of work," says Joe Stewart, director of malware research at SecureWorks.
I had a chance to talk with Stewart at this year's Black Hat security conference in Las Vegas where, in a talk, he provided insight into the inner workings of one botnet, the Storm worm botnet. Using unpackers, debuggers, and decompilers, Stewart was able to dissect the rogue network and learn how it works and why Storm remains so resilient when other botnets simply fail over time.
Joe Stewart of SecureWorks at Black Hat Las Vegas 2008
(Credit: Robert Vamosi / CNET)Botnets, whose combined computing power can equal that of a large supercomputer, are organic, yet they only evolve when they need to, such as after they've been discovered and shut down, Stewart said. But he said anyone wanting to copy a successful botnet like Storm would simply be wasting their time. While all the coding tricks used to make Storm successful are available on the Internet, it's combining them that's the trick.
"How you are going to make all that work for your specific needs? It's pretty complex," he said. "The person who developed Storm did it over a long period of time. They didn't start out with the peer-to-peer program (as used today); they started out with something much simpler. They then made small modifications. A lot of hours have been put into it."
Storm's structure
A basic botnet would includes a Command and Control (C&C) server contacted to thousands of compromised desktop computers worldwide. Were that always the case, botnets could be taken down quickly by simply finding and shutting down the C&C server. Storm's approach is more nuanced and layered. Top level is a Command & Control server running Apache (presumably somewhere in Russia). Next level is a server running a Nginx 0.5.17 proxy; this server is designed to hide the Apache machine from view. At the third level are a couple more Nginx 0.5.17 proxies used to hide the master Nginx 0.5.17 proxy from view. Sitting at the fourth level are public nodes that act as reverse proxies leading back to the controller and perform as fast-flux name servers. Fast flux means that a hard-coded URL can be sent out with the bot code, but where that URL resolves changes.
The final level is composed of thousands of compromised computers worldwide. Stewart says that Storm starts out infecting a computer with a dropper. Right now the preferred infection process is via an e-mail link, but this might change to a peer-to-peer process. However infected, the initial click by the end user installs a rootkit which, in turn, reaches out to the EXE file from a fourth-level supernode. Once infected, the compromised computer and supernode trade the infected desktop's IP information. This information is sent to a third-level supernode proxy as pert of its mapping operation. At the third level it is also compressed and encoded for obfuscation, then sent on to the second level proxy, and finally to the top level server.
Overnet/eDonkey
At the second and third levels, the Nginx proxies listen for Overnet/eDonkey peer-to-peer Internet traffic. Overnet/eDonkey was a popular peer-to-peer network application until it was shut down by the Recording Industry Association of America. While the service is gone, the code still exists. What botnet operators like most is Overnet/eDonkey's distributed nature; it lacks a central peer list. Thus, each of the nodes keeps only a small list of neighboring peers.
This decentralized network is what Stewart and many other experts say is the key to Storm's resilience.
And it almost proved to be Storm's undoing. Overnet/eDonkey is still used for file-sharing, so in Storm's view there is a lot of bogus traffic out there. To better distinguish its traffic from other traffic, Stewart says Storm uses the Kadamlia distributed hash table (DHT) and its C&C servers listen only for predictable MD4 hashes. Those hashes are derived from a simple checksum algorithm that includes IP address and the port used. Authentication is accomplished through a 4-byte challenge and response.
The predictable hashes also have a positive effect for researchers, says Stewart: If a given peer doesn't know the location of the specific node you're searching for, the known peer will provide you with a list of peers closest to what you asked for. And, because the Overnet/eDonkey supernode peers all broadcast their presence, Stewart and other researchers can walk all the nodes in a network to get a fairly accurate count of the botnet's size.
Not perfect
Lately, though, Storm has been evolving yet again. This time it's isolating its network further from the general Internet traffic by encrypting packets using an embedded key and simple XOR. It also has been changing its initial infection packing or compression process. The outer layers change every 10 minutes, while the interior bot code changes packing more on the order of once a month. Neither the packing nor the encryption have so far proven defeating to security researchers.
However, one downside to encryption is that Storm's handlers could now segment parts of their network--that is, they could rent or sell off pieces of the botnet to others. Although speculation around segmentation has been widespread, Stewart says he has not observed it.
In addition to Stewart's research, see Brandon Enright's report for another detailed look at the structure of this venerable botnet.
On Monday, SecureWorks released its analysis of the Coreflood Trojan, providing an inside look at a stealthy online predator.
According to a blog by Joe Stewart, director of malware research for SecureWorks, Coreflood started out as an IRC (Internet relay chat) botnet back in 2002. Coreflood--or AFcore, as the author refers to it within the code--is apparently viewed by its author as corporate software that can be tweaked as business needs change. For example, over the last six years, Coreflood has evolved from initiating distributed denial-of-service attacks to collecting IDs and passwords for bank fraud.
With the help of Spamhaus, an antispam organization, SecureWorks was able to gain cooperation from one of the command and control centers for Coreflood. What Stewart found was not only source code but 50 gigabytes of compressed data, searchable in a MySQL database.
Within was 378,758 unique bot IDs over a 16-month period. Logged was the time-stamped lifecycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.
The other find was that many computers within a single company would get infected. Not surprising in and of itself, however, the time stamp provides an insight into the growth of bots within corporate networks and government agencies.
The graph shows how a state policy agency was infected with Coreflood from April 2007 through January 2008.
(Credit: SecureWorks)What Stewart found by looking at the log files is that Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft. If the infected machine had administrator rights, the malicious file ie1823en.exe would be executed on every computer within that domain.
"Mitigating the problem of malware using domain administrator credentials is harder," wrote Stewart. "It is not really possible to disable this feature without removing the ability of authorized users to remotely administer workstations entirely (including the ability to push needed updates to all computers in the domain)." SecureWorks is aware of one other bot that uses this technique, and expects other bots to use it in the future.
Stewart concludes: "It falls upon the domain administrator to be aware of this tactic and be increasingly aware of the security of not only his/her workstation, but any workstation accessed with administrator credentials."
- prev
- 1
- next
