The "New" Coreflood Botnet Trojan, is actually, Not New at all. According to Joe Stewart Director of Mallware Research - Secureworks. At Black Hat 2008, Joe spoke of Coreflood. He first encountered Coreflood in 2003 and started studying it then. He also stated in another Video, that Coreflood has likely been around since 2001 according to comments in it's own code...
What is new though, is the way that the Feds are going about fighting this Trojan. Which has infected, according to one estimate, One Million Window PC's. Read more and See the Videos Below...
See the mouse arrow in the Screen Shot of Joe being interviewed, to see where to fast forward to in the 2nd Video, where he talks about Coreflood. Black Hat 2008: Storm BotNet UpdateFrom Joe Stewart (or just watch it all).
There are several Interesting Videos on Coreflood and other Mallware and Trojans Blow...
Don
Federal government shuts down massive botnet run out of North Texas and elsewhere, substitutes its own servers for bad guys' servers to identify victims and send warnings to ISPs
Botnets are nothing new. But the feds are responding to the latest, dubbed Coreflood, in a new way that involves replacing the bad guys' servers with their own and identifying each individual infected computer.
Botnets, as a reminder, are massive computer networks made up of systems that have been hacked by criminals, often using automated software. Getting infected with botnet software could be one consequence of clicking on one of the Epsilon emails, for example.
The botnets can be used either to steal money and personal data from individual users of each system, or to orchestrate larger attacks against the computer systems of companies and government agencies.
In this case, the Coreflood Botnet seemed to be about stealing money from individual users as well as companies, according to a Justice Department temporary restraining order filed in the U.S. district court in Connecticut on Tuesday. (Hat tip to Cnet for all the links.)
From a DoJ press release issued yesterday:
According to court filings, Coreflood is a particularly harmful type of malicious software that records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, known as a command and control (C & C) server. A computer infected by Coreflood and subject to remote control is referred to as a "bot," short for "robot." According to information contained in court filings, the group of all computers infected with Coreflood is known as the Coreflood botnet, which is believed to have been operating for nearly a decade and to have infected more than two million computers worldwide.
Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user's bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.
More from...
http://www.justice.gov/opa/pr/2011/April/11-crm-466.html
The botnet is a network of hundreds of thousands of computers infected with a malicious software program known as Coreflood, which installs itself by exploiting a vulnerability in computers running Windows operating systems. Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.
The Department of Justice strongly encourages computer users to ensure they are using security software on their computers and that users regularly update their security and routinely scan their computers for viruses. To learn more about what you can do to protect your computer, including how to download and receive updates on security vulnerabilities, the public may go to the following sites operated by U.S. Computer Emergency Readiness Team (CERT) and the Federal Trade Commission, respectively: us-cert.gov/nav/nt01 and onguardonline.gov/topics/malware.aspx .
Read More...
http://techblog.dallasnews.com/archives/2011/04/federal-government-shuts-down.html
FBI Take Down: Coreflood Bot-Net
Video Link....
http://www.youtube.com/watch?v=c-7fGJTd2es
Black Hat 2008: Storm BotNet UpdateFrom Joe Stewart
Video Link...
http://www.youtube.com/watch?v=rIZS_zxHkHY
Joe Stewart on the CoreFlood botnet
Video Link...
http://www.youtube.com/watch?v=IpHzi2ZlpHU
Joe Stewart on the forensic exam of CoreFlood
Video Link...
http://www.youtube.com/watch?v=93L8QmhJWpc&feature=related
Joe Stewart on the stealth botnet CoreFlood
Video Link...
http://www.youtube.com/watch?v=57Fm07pfG38
Cyber Threat Report
Cyber Threat Report for April 14, 2011
04.18.11The AT&T Malware team discusses the Coreflood Takedown, Microsoft Patch Tuesday, the new Adobe patch and recent Internet activity anomalies.
Video Link...
http://techchannel.att.com/play-video.cfm/2011/4/18/Internet-Threat-Report-Internet-Threat-Report-for-April-14-2011DEFCON 16: Malware RCE: Debuggers and Decryptor Development
Video Link...
http://www.youtube.com/watch?v=OZzu4JLPoUs
FBI takes on Coreflood botnet - but is this a step too far?
Quote...When infected PCs connected to the surrogate, the cops instructed the bot process to terminate, providing that the PC appeared to be in the US, and thus under their jurisdiction.
What made this court order a first in the US is that it gave law enforcement permission to interfere directly with computers belonging to users who weren't being investigated, or charged with any crime.
The motivation for this novelty was that the Coreflood bot family is notorious for exfiltrating data from infected PCs. As the FBI's Temporary Restraining Order puts it, Coreflood sets out:
to commit wire fraud and bank fraud in violation of Title 18, United States Code, Sections 1343 and 1344, and to engage in unauthorized interception of electronic communications in violation of Title 18, United States Code, Section 2511.But the Electronic Frontier Foundation (EFF), a worldwide privacy advocacy group, expressed concerns about this sort of legally-endorsed interference. In particular, the EFF pointed out that there is something unappealing about sending commands of any sort to unknown malicious code on someone else's computer without their explicit permission.
This may sound like a petty objection - and perhaps, in the real world, it is - but unless you know exactly which variant of the bot is on each PC, there is always a potential risk with trying to use a bot against itself. What if the crooks have deliberately rewired the "stop" command to carry out a "format hard drive" operation instead?
Nevertheless, the FBI went ahead, and the exercise seems to have been a success. So much so, in fact, that the cops went back to court over the weekend to ask for the two-week court order to be extended for a further month.
Read More...
http://nakedsecurity.sophos.com/2011/04/28/fbi-takes-on-coreflood-botnet-step-too-far/
- Feds to remotely uninstall Coreflood bot from some PCs
- Feds to remotely uninstall Coreflood bot from some PCs - Computerworld
- VarLinux » Feds to remotely uninstall Coreflood bot from some PCs
- remotely uninstall Coreflood bot - Google Search
- remotely uninstall Coreflood bot - Google Search
- Coreflood bot - Google Search
- YouTube - FBI Take Down: Coreflood Bot-Net
- YouTube - Black Hat 2008: Storm BotNet UpdateFrom Joe Stewart
- FBI takes on Coreflood botnet – but is this a step too far? | Naked Security
- YouTube - DEFCON 16: Malware RCE: Debuggers and Decryptor Development
- Coreflood Trojan - Google Search
- Feds will uninstall Zombie software from US computers - In the next month | TechEye
- Federal government shuts down massive botnet run out of North Texas and elsewhere, substitutes its own servers for bad guys' servers to identify victims and send warnings to ISPs | Technology Blog | dallasnews.com
- Department of Justice Takes Action to Disable International Botnet
- US-CERT: Non-technical users
- Malware - OnGuard Online
- With Court Order, FBI Hijacks ‘Coreflood’ Botnet, Sends Kill Signal | Threat Level | Wired.com
- remotely uninstall Coreflood bot - Google Search
- Feds remotely uninstall Coreflood bot - Google Search
- remotely uninstall Coreflood bot Electronic Frontier Foundation - Google Search
- remotely uninstall Coreflood bot EFF - Google Search
- Electronic Frontier Foundation remotely uninstall Coreflood bot - Google Search
- FBI takes on Coreflood botnet – but is this a step too far? | Portable Digital Video Recorder
- YouTube - Joe Stewart on the forensic exam of CoreFlood
- Coreflood - Google Search
- YouTube - Joe Stewart on the CoreFlood botnet
- Feds Crush 'Coreflood Botnet' - Infected 2 Million Computers, Stole Millions - ABC News
- YouTube - US government shuts down Coreflood botnet
- Cyber Threat Report: Cyber Threat Report for April 14, 2011 - AT&T Tech Channel
- YouTube - Joe Stewart on the stealth botnet CoreFlood
No comments:
Post a Comment