FBI Takes Down Coreflood Botnet, But Many Companies Remain Vulnerable

Written by Andrew Jaquith. Posted in Blog Post

By Harald Wilke, Security Analyst, Perimeter E-Security
with Richard S. Westmoreland, Lead Security Analyst and Andrew Jaquith, Chief Technology Officer

On Wednesday April 6th the Federal Bureau of Investigation (FBI) seized control of 5 servers used to control as many as 2 million computers infected with Coreflood malware. This malware, also known as AFCore, quietly steals personal and financial information from the computer and forwards the information to the criminal ring leaders. The attackers use the information collected by AFCore to conduct fraudulent wire transfers, emptying the users’ bank accounts.  The botnet is suspected to have existed since at least 2002, and has evolved over the years from using IRC based command and control and selling DDOS/anonymity services, to HTTP based command and control and performing fraud.

Using a similar approach used to take down the Bredolab botnet, US federal investigators were granted special authorization by the Department of Justice to substitute their own Command and Control server for the hosts operated by the criminal organization.  When the bot of the infected machine checks into the new C&C it is simply given a command to shutdown.  The DNS records used by the bots have also been pointed to Shadowserver’s sinkholes.

Seizing control of the C&C servers by law enforcement is now preventing the criminals from accessing any information already harvested by the infected computers.  It also keeps them from covering their tracks by deleting files and terminating processes.  However, the millions of Coreflood infections remain intact and still require intervention by a trained security analyst or antivirus program with signatures to detect it. Investigators are also alerting the Internet Service Providers of the compromised machines and requesting they inform their customers.

More information about the takedown can be found here:

Perimeter’s Security Operations Center is actively monitoring for outbound activity known to be associated with the Coreflood botnet.  In one instance, minutes after adding inspection for the redirected C&C check-in, alerts indicated a single customer network to have 17 actively compromised hosts. Here’s a sample screenshot from our SOC’s Security and Information Event Management System:

Coreflood Botnet Traffic, from Perimeter SOC

Looking at the raw event logs, we can see that the compromised host is attempting direct HTTP connections to a sinkhole IP. The URI confirms the activity to be related to a bot C&C check-in:

Recommendations for Perimeter customers

Although the FBI has taken ownership of the Command and Control and are issuing shutdown commands to the active bots, the malware is still installed on the compromised machines and reactivated at bootup.  Analysis of this Coreflood variant indicates the C&C domains change monthly and have been pre-registered in countries that are outside of United States jurisdiction.  There still remains a possiblity of the criminal ring regaining control of the botnet.  Perimeter strongly recommends customers take the following actions to stay protected:

  • Use Web Content Filtering to lockdown Internet usage by enforcing user authentication and blocking of categories not critical to business
  • In particular, customers are strongly advised to block access to unclassified sites, which commonly harbor malware and C&C servers
  • Use standard best practices such as Network IPS and Network/Desktop AV to help prevent infections
  • In cases where infections do occur, a strong WCF policy will help prevent theft of data, and will provide additional logging information used by the Perimeter’s Security Operations Center

Thanks for your time and attention, and stay safe.

Tags: , , , , ,

Trackback from your site.

Andrew Jaquith

Andrew Jaquith is the Chief Technology Officer of Perimeter E-Security. Before Perimeter, he was a senior analyst with Forrester Research and Yankee Group.

Comments (1)

Leave a comment