Defense in Depth

In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.

Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "Coreflood" prior to April 6, 2004, when the alleged theft took place.

Shortly after the wire transfer occurred, a sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining $70,000 was, however, frozen by Latvian banking authorities. Bank of America has since settled this case; neither side has revealed the terms.

"I had probably heard the news about Joe Lopez, but (until recently), I hadn't thought twice about the whole Coreflood episode of a few years ago," admitted Joe Stewart, director of Malware Research at SecureWorks, when I spoke to him at last summer's Black Hat conference in Las Vegas.

In particular, Stewart recalled hearing that the U.S. Secret Service had found evidence of Aflood or Coreflood on the Lopez computer.

"The Secret Service actually named Coreflood. That was very surprising. Normally, we don't get the final tally. We don't know who's account got stolen. It's very unusual to actually have a victim that is public, and everybody knows exactly what (was) taken."

Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart said Coreflood has a different agenda: "Its goal is to steal the data directly from users." The much more popular Storm botnet, he said, is more of a nuisance. "Coreflood has a real financial impact for people like Joe Lopez."

Who's behind Coreflood? Stewart declines to say, but in an interview in The New York Times, he suggested that the gang responsible was based somewhere in Russia. He would not tell me the name of the group because of ongoing criminal investigations.

In this video, Stewart talks about what first drew him to study the Coreflood botnet.

When Stewart heard about Lopez, he renewed his research on the Coreflood. With the help of Spamhaus, an antispam organization, Stewart and SecureWorks were able to gain cooperation from a Wisconsin-based provider of one of the command and control centers for the botnet. What he found was not only the bot's source code but also 50 gigabytes of compressed data, searchable in a MySQL database.

Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped life cycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.

The graph shows how one state policy agency was infected with Coreflood from April 2007 through January 2008.

(Credit: SecureWorks)

Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.

"It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.

"So it's not so much a targeted attack," Stewart said. "But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company."

Later, the criminal gang responsible for the attack can find out which company it has infected by looking into the registry of the infected computer. "They pull out of the registry a separate request to say who is the registered owner the Windows license. They ship that information back up to the botnet controller."

Just looking at that one C&C server in Wisconsin, Stewart estimates that the gang responsible has infected more than 35,000 domains. It may sell those Web mail accounts to a spammer, because spammers love Web mail accounts. But over the years, Coreflood seems to have targeted only banks. Stewart knows this from the forensic evidence he's collected.

In this video, Stewart talks about digital forensics and what it can tell us about botnets such as Coreflood.

Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say, by a keylogging application. The Coreflood script will then capture the HTML data on the post-log-in page.

In most cases, that page also contains the account's bank balance. This is so that after running the test, the hackers have a picture of what the highest dollar amounts are, he said.

"I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account," he said. "We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first."

Coreflood does not take a screenshot, Stewart said, but rather scrapes the text out of the HTML. "When they run these tools, it leaves a log file behind, and all the post log-in (data)...are saved in that directory. So we have all of the account balances. So we can parse out what everyone's balance is and see actually how much (the thieves) had access to at any one institution."

In this video, Stewart talks about why Coreflood has been around since 2001, yet hardly anyone has been talking about it.

The problem is that Coreflood has been around since 2001.

"It's unique in that's been around for so long," Stewart said. Moreover, it's unusual that it seems to have been maintained by the same group, "not something that's been sold to another group," as is the case with some botnets.

The way it's managed to evade detection, Stewart said, is that it hasn't really crept high on anyone's list of botnets. "It's not on anyone's radar." Yet it's managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to these guys in Russia.

"To me, (Coreflood) is far more insidious because it doesn't get the attention," said Stewart. Unlike Storm, Coreflood is not constantly in your face. "You're not seeing new social-engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It's been quiet, and just does a few things, and tries not to garner any attention."

So the story of Lopez is significant. It's a tangible event about how online criminals are actually affecting people. It illustrates how much money got taken from an actual bank account, and the real impact on the victim's life. Unfortunately, there are many more botnets--and many more victims to talk about.

Recent e-mails stating that the U.S. has already attacked Iran and, in some cases, also offering links to a video purportedly from a soldier, are not to be believed, according to Websense. The security vendor said in an advisory Wednesday that it has linked the provocative e-mails to the Storm worm.

Storm got its name because it first took advantage of a huge winter storm in Northern Europe in early 2007. Since then, it has used a variety of social engineering tricks, including the use of political themes, to get unsuspecting users to open its malicious payload.

This time Storm is offering form.exe and iran_occupation.exe as executable payloads.

Acording to Dancho Danchev over at ZDNet, the latest iteration of Storm appears to be using the following domains:

• statenewsworld . com
• morenewsonline . com
• dailydotnews . com
• dotdailynews . com
• newsworldnow . com

A link from one of the Storm worm e-mails leads to this page.

(Credit: Websense)

While Operation CyberStorm is intended to improve our ability to defend against a foreign cyberattack, the Air Force is talking openly about our ability to launch a preemptive attack in cyberspace.

In the May 2008 issue of Armed Forces Journal, Col. Charles W. Williamson III wrote that "America needs a network that can project power by building an af.mil robot network (botnet) that can direct such massive amounts of traffic to target computers that they can no longer communicate and become no more useful to our adversaries than hunks of metal and plastic. America needs the ability to carpet bomb in cyberspace to create the deterrent we lack."

He argues, "The time for fortresses on the Internet also has passed, even though America has not recognized it. Now, the only consequence for an adversary who intrudes into or attacks our networks is to get kicked out--if we can find him and if he has not installed a hidden back door. That is not enough."

He concludes: "While America must harden itself in cyberspace, we cannot afford to let adversaries maneuver in that domain uncontested. The af.mil botnet brings the capability to help defeat an enemy attack or hit him before he hits our shores."

"Although it's hard to prove it," said Yuval Ben-Itzhak, CTO at Finjin, "I believe the cyberspace is already in use by various governments for intelligence purposes. The disclosure that the Air Force plans to have offensive cybertools should not surprise us since many systems rely on the Internet to operate/communicate." He added that someone will also need to make sure these systems can be protected when needed.

That's a sentiment echoed by Dancho Danchev, who offers some insight on ZDNet. Among his observations is that these systems can be spoofed or otherwise fooled. For example, attacks against the U.S. may appear to originate in a country that the enemy wants us to DDoS (perhaps for them).

Over on F-Secure, a poll of readers worldwide showed on Thursday that nearly 70 percent of the respondents feel the U.S. should not build its own offensive botnet.

On Thursday, MessageLabs reported in its April Intelligence Report a marked decrease in the number of malware links connected to the Storm botnet. "It's not too often that a security company says that things are getting better," said Mark Sunner, Chief Security Analyst.

At its peak, Sunner said, the Storm botnet resided upon one million computers worldwide. That number has since come down to between 85,000 IP addresses at the end of April. He said that over the last eighteen months Storm has been constant, and never decreased according to MessageLabs research. "Other security companies have reported decreases in the past," he said because of different methods of studying the botnet, "but this is first decrease we've seen."

He credited the most recent patches from Microsoft with the decline. He said that in the weeks following the most recent Patch Tuesday there was a sharp drop off.

Given that the creators of Storm managed and maintained a constant flood of variations for more than one year, it's a little odd that they would just take their money and walk away. Sunner said that they are seeing an increase in Srizbi, named for the one of the Web sites from which is downloaded. A Trojan, Srizbi uses rootkit technology to hide on an infected machine but, like Storm, it is also known to relay spam.

Owen Thor Walker, an 18-year-old bot herder from Whitianga, New Zealand, plead guilty on Monday to six charges resulting from a botched botnet upgrade that led to a 2007 denial-of-service attack on the University of Pennsylvania.

Walker plead guilty to two charges of accessing a computer for dishonest purposes; two charges of accessing computer systems without authorization; one of damaging or interfering with computer systems; and one of possessing software for committing a crime. He could face five years in jail. However, according to reports from The New Zealand Herald, Judge Arthur Tompkins is considering Walker's age and cooperation with authorities and could recommend home detention or community service instead. Sentencing will take place May 28.

Walker, who uses the online name "AKill," was arrested last November as part of the FBI's Operation Botroast II, along with Ryan Brett Goldstein, 21, of Ambler, Penn. Walker and Goldstein allegedly caused a distributed denial-of service attack on the University of Pennsylvania this past summer that cost the school nearly $13,000 to mitigate. Apparently the DoS attack was unintentional.

According to various reports, Walker said he was attempting to upgrade his botnet code when a glitch took down his network. A botnet consists of thousands of infected computers worldwide that can spew spam, assist in a denial-of-service attack on a target, or spread new versions of the originating worm. From a central point, called a command and control center, a bot herder can send new code to those infected computers.

After the FBI identified AKill as Walker, it worked with New Zealand authorities who uncovered a series of deposits in the Netherlands. Working with Dutch authorities, investigators pieced together that Walker's botnet had earned an estimated $32,000 from adware vendors. Walker used the money to invest in his parent's taxi cab company, and computer equipment.

Home-schooled, Walker, who is also known online as "Snow Whyte" and "Snow Walker," taught himself computer programming and encryption, and met up with other malware writers online. He may have first contacted Goldstein in an online chat room.

(Credit: Jose Nazario, Arbor Networks)

Don't click on that silly April Fools' Day e-mail, says one security expert.

In a blog, Arbor Networks' Jose Nazario reports that within the last 24 hours he's seeing new releases of the Storm worm designed to take advantage of the first day of April. This new spam campaign is a lure to infect new computers that will become part of the larger Storm worm botnet.

The e-mail body is spartan: the words "Doh! April Fools" followed by a numeric URL. If a user clicks on that URL, the default Internet browser will open to a page with a cartoon character. A download is supposed to start within five seconds and, according to the message, "If your download does not start, click here and then press 'Run.'"

The compromised computer will then install the downloaded file as C:\WINDOWS\aromis.exe. Nazario reports that the botnet file opens the firewall using the netsh firewall set command, makes a lot of outbound connections, then listens on a random UDP port.

The FBI is warning that Valentine's Day e-mails you see this year might be coming not from loved ones, but from the Storm worm botnet. In a press release Tuesday, the FBI warns users to be on the lookout for e-mail that "directs the recipient to click on a link to retrieve the electronic greeting card (e-card). Once the user clicks on the link, malware is downloaded to the Internet-connected device and causes it to become infected and part of the Storm worm botnet."

Dr. Jose Nazario of Arbor Networks said the authors of Storm have launched a carefully orchestrated series of lure campaigns to bring new members into the network. One of them is Valentine's Day-themed. Nazario said the creators of Storm have in recent weeks "grown the network by as much as 50 percent."

Nazario blamed fresh spam and incomplete antivirus protection on users' desktops for the new botnet infections.

"Generally speaking, when you only have something like 25 percent or less who are updated with the current patches and Best Practices in AV software, it doesn't really matter. You can be caught up with the latest AV fix, but if other people aren't really applying it, it doesn't really matter."

If you don't have antivirus protection, get some. See CNET's latest antivirus performance test results here. If you already have an antivirus product installed, make sure your subscription and the data files are both up to date.

Last week, the FBI announced the end of the second phase of Operation Bot Roast, an ongoing investigation into botnets, and the criminal activity associated with them. I recently asked Dr. Jose Nazario of Arbor Networks where in the world the bot herders, the people who control the botnets, might be. Here are some excerpts:

We see a few major groups. We see Americans and Western Europeans often interested in using the botnet to make money either directly or indirectly by selling services, or stealing information from those botnets to sell and use credit card information bank information, etc.

There are some botnets out of South America, but mostly South America seems dominated by the Brazilian, what folks used to call the banker Trojan, the browser helper object that steals information right out of the browser from banks from online banking or e-commerce transactions. Some of the more high-profile botnets we've dubbed TeamUSA and Peruvian Power. These have been long running and relatively successful. But they're not exactly household names.

The botnet community is also taking off in the Russian language part of the Internet. Lately I've been watching a lot of DDoS attacks come out of Russia, commanded by Russians. Possibly for pay, as retribution, or as punishment to those who try an stop some of the other illegal activities, such as fraud and theft.

I have been tracking lately Russian DDoS bot code run by different groups. The code itself is bought and shared between them. One of the big ones is a code base called Black Energy. The author is a Russian language speaker who offers his help files and other things in the Russian language and sells it on the Russian language forums anywhere from $40 on up. Black Energy is strictly a DDoS botnet

We have watched some botnets from China but I don't see a whole lot of botnet activity coming out of there.

You can read more of Nazario's comments in this Security Watch column. And you hear more of my interview with Dr. Nazario in this Security Bites podcast.