In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.
Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "Coreflood" prior to April 6, 2004, when the alleged theft took place.
Shortly after the wire transfer occurred, a sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining $70,000 was, however, frozen by Latvian banking authorities. Bank of America has since settled this case; neither side has revealed the terms.
"I had probably heard the news about Joe Lopez, but (until recently), I hadn't thought twice about the whole Coreflood episode of a few years ago," admitted Joe Stewart, director of Malware Research at SecureWorks, when I spoke to him at last summer's Black Hat conference in Las Vegas.
In particular, Stewart recalled hearing that the U.S. Secret Service had found evidence of Aflood or Coreflood on the Lopez computer.
"The Secret Service actually named Coreflood. That was very surprising. Normally, we don't get the final tally. We don't know who's account got stolen. It's very unusual to actually have a victim that is public, and everybody knows exactly what (was) taken."
Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart said Coreflood has a different agenda: "Its goal is to steal the data directly from users." The much more popular Storm botnet, he said, is more of a nuisance. "Coreflood has a real financial impact for people like Joe Lopez."
Who's behind Coreflood? Stewart declines to say, but in an interview in The New York Times, he suggested that the gang responsible was based somewhere in Russia. He would not tell me the name of the group because of ongoing criminal investigations.
In this video, Stewart talks about what first drew him to study the Coreflood botnet.
When Stewart heard about Lopez, he renewed his research on the Coreflood. With the help of Spamhaus, an antispam organization, Stewart and SecureWorks were able to gain cooperation from a Wisconsin-based provider of one of the command and control centers for the botnet. What he found was not only the bot's source code but also 50 gigabytes of compressed data, searchable in a MySQL database.
Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped life cycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.
The graph shows how one state policy agency was infected with Coreflood from April 2007 through January 2008.
(Credit: SecureWorks)Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.
"It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.
"So it's not so much a targeted attack," Stewart said. "But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company."
Later, the criminal gang responsible for the attack can find out which company it has infected by looking into the registry of the infected computer. "They pull out of the registry a separate request to say who is the registered owner the Windows license. They ship that information back up to the botnet controller."
Just looking at that one C&C server in Wisconsin, Stewart estimates that the gang responsible has infected more than 35,000 domains. It may sell those Web mail accounts to a spammer, because spammers love Web mail accounts. But over the years, Coreflood seems to have targeted only banks. Stewart knows this from the forensic evidence he's collected.
In this video, Stewart talks about digital forensics and what it can tell us about botnets such as Coreflood.
Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say, by a keylogging application. The Coreflood script will then capture the HTML data on the post-log-in page.
In most cases, that page also contains the account's bank balance. This is so that after running the test, the hackers have a picture of what the highest dollar amounts are, he said.
"I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account," he said. "We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first."
Coreflood does not take a screenshot, Stewart said, but rather scrapes the text out of the HTML. "When they run these tools, it leaves a log file behind, and all the post log-in (data)...are saved in that directory. So we have all of the account balances. So we can parse out what everyone's balance is and see actually how much (the thieves) had access to at any one institution."
In this video, Stewart talks about why Coreflood has been around since 2001, yet hardly anyone has been talking about it.
The problem is that Coreflood has been around since 2001.
"It's unique in that's been around for so long," Stewart said. Moreover, it's unusual that it seems to have been maintained by the same group, "not something that's been sold to another group," as is the case with some botnets.
The way it's managed to evade detection, Stewart said, is that it hasn't really crept high on anyone's list of botnets. "It's not on anyone's radar." Yet it's managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to these guys in Russia.
"To me, (Coreflood) is far more insidious because it doesn't get the attention," said Stewart. Unlike Storm, Coreflood is not constantly in your face. "You're not seeing new social-engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It's been quiet, and just does a few things, and tries not to garner any attention."
So the story of Lopez is significant. It's a tangible event about how online criminals are actually affecting people. It illustrates how much money got taken from an actual bank account, and the real impact on the victim's life. Unfortunately, there are many more botnets--and many more victims to talk about.
Last summer, Sen. Barack Obama's presidential-campaign computers came under cyberattack from an "unknown entity." His machines weren't alone; John McCain's computers were also attacked, according to a report appearing Wednesday on the site of Newsweek magazine.
The Obama attack was initially thought to be a piece of malware downloaded from a phishing site. Newsweek reports that "the next day, both the FBI and the Secret Service came to the campaign with an ominous warning: 'You have a problem way bigger than what you understand,' an agent told them. 'You have been compromised, and a serious amount of files have been loaded off your system.'"
The McCain campaign's computer system was also compromised over the summer. Newsweek confirmed with a top McCain official that the FBI had become involved. A federal investigation into both attacks is under way.
According to Newsweek Editor at Large Evan Thomas, the FBI and White House officials told the Obama campaign that a foreign entity or organization was likely responsible, not political opponents. Independently, Obama technical experts have speculated that the hackers were Russian or Chinese. The files accessed appear to be policy-related and thus potentially useful in future negotiations with a new presidential administration.
Earlier this year, during the primaries, an online prank had the Obama campaign site redirected to Sen. Hillary Clinton's campaign site.
The Newsweek report is part of a special edition that will be on newsstands November 6 through 16, and online November 5 through 7.
On Thursday, MessageLabs reported in its April Intelligence Report a marked decrease in the number of malware links connected to the Storm botnet. "It's not too often that a security company says that things are getting better," said Mark Sunner, Chief Security Analyst.
At its peak, Sunner said, the Storm botnet resided upon one million computers worldwide. That number has since come down to between 85,000 IP addresses at the end of April. He said that over the last eighteen months Storm has been constant, and never decreased according to MessageLabs research. "Other security companies have reported decreases in the past," he said because of different methods of studying the botnet, "but this is first decrease we've seen."
He credited the most recent patches from Microsoft with the decline. He said that in the weeks following the most recent Patch Tuesday there was a sharp drop off.
Given that the creators of Storm managed and maintained a constant flood of variations for more than one year, it's a little odd that they would just take their money and walk away. Sunner said that they are seeing an increase in Srizbi, named for the one of the Web sites from which is downloaded. A Trojan, Srizbi uses rootkit technology to hide on an infected machine but, like Storm, it is also known to relay spam.
Users of Microsoft Windows Live OneCare may have found their antivirus protection a little too proactive. Over the weekend, OneCare informed some Skype users that the popular voice-over-IP application was infected with the Trojan Win32/Vundo.gen!D.
Not true, says Skype, which noted that Microsoft has since repaired its overzealous signature file.
On Friday, OneCare subscribers started seeing their access to Skype blocked. Microsoft says it was trying to block a multiple-component family of programs that deliver "out of context" pop-up advertisements, and mistakenly included Skype.
On Tuesday, four days later, it sent out a revised signature file for Win32/Vundo.gen!D that did not include Skype.
Corrected at 6:50 a.m. PDT March 26: The last paragraph has been revised to correctly describe a second antivirus partnership.
The Anti-Malware Test Lab and AV-Comparatives.org announced on Tuesday an alliance designed to create one of the most respected sources of objective, independent information about antivirus products.
Together, the pair said, they intend by year's end to create a unique system of integrated tests for determining the effectiveness of commercial antivirus software.
Andrea Clementi, founder of AV-Comparatives, said in a statement that "the partnership with Anti-Malware Test Lab will allow us to evaluate more aspects of antivirus software and to offer users a more comprehensive independent view of various security products."
Clementi further hinted that if this alliance works out, there may be additional alliances of independent antivirus software-testing labs.
"I'm sure that our partnership will act as a driving force for the development of the industry as a whole," said Sergey Ilyin, founder of Anti-Malware Test Lab. Anti-Malware Test Lab is an independent Russian test laboratory, a subsidiary of Anti-Malware.ru. The laboratory is best known for testing active infection treatments, antivirus heuristics, and anti-rootkit protection.
This is the second partnership of antivirus-testing organizations in recent months.
In January, various antivirus vendors, independent testing labs, and media outlets gathered in Spain to work toward creating the Anti-Malware Testing Standards Organization (AMTSO). That group includes vendors F-Secure, Kaspersky Lab, McAfee, Panda Software, and Symantec, and independent testing labs AV-Test.org and AV-Comparatives. The alliance announced on Tuesday is different, said Clementi, because it allows Anti-Malware.ru to share AV-Comparatives' test results.
Care should be taken when plugging holiday gift gadgets into your personal computer and laptop, said security researchers at Sans.org, Microsoft, and Kaspersky in recent blog posts. Reports of strange files being found on USB storage devices increased over the holiday season. Reporting Monday on the SANS' Internet Storm Center blog, director Marcus Sachs said, "In years past this would have been limited to iPods and USB memory sticks, but now it includes digital photo frames, GPS devices, external hard drives, and of course digital cameras."
The unofficial Sans.org investigation started on Christmas after researcher David Goldsmith received an ADS Digital Photo Frame - 8". He soon discovered that the built-in 128MB of storage included file cfhskjn.exe. When he tried running the mystery file, he received several error messages.
Others have noticed odd behavior with storage devices as well. Kaspersky antivirus reports purchasing a Kensington memory card in Napal which contained Worm.VBS.Small.n, a computer worm. A second Kaspersky blog mentions Victory LT-200, an MP3 player that includes (at no extra charge) the malware Worm.Win32.Fujack.aa.
Coincidentally, the January 2008 issue of Microsoft TechNet magazine includes a report on "island hopping", the act of using USB storage devices to infect personal computers. The author of the article, Jesper M. Johansson, said many USB controllers are Direct Memory Access (DMA) devices that bypass the operating system and directly read and write memory on the computer. "Bypass the OS and you bypass the security controls it provides--now you have complete and unfettered access to the hardware. This renders device control implemented by the OS completely ineffective. I am unaware of any hacking tools that currently use this technique, but I very much doubt that this has not already been done."
Kaspersky said most removable media exploits in the wild use the Windows autorun functionality. Kaspersky said the autorun vector is not perfect. In Windows XP SP2 the autorun.inf feature is disabled and the user is asked whether or not to run the file. A similar process occurs within Windows Vista. In both cases, however, researchers note that the user can still infect themselves by selecting Run setup.exe.
- prev
- 1
- next
