Security expert talks Russian gangs, botnets
In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.
Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as "Coreflood" prior to April 6, 2004, when the alleged theft took place.
Shortly after the wire transfer occurred, a sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining $70,000 was, however, frozen by Latvian banking authorities. Bank of America has since settled this case; neither side has revealed the terms.
"I had probably heard the news about Joe Lopez, but (until recently), I hadn't thought twice about the whole Coreflood episode of a few years ago," admitted Joe Stewart, director of Malware Research at SecureWorks, when I spoke to him at last summer's Black Hat conference in Las Vegas.
In particular, Stewart recalled hearing that the U.S. Secret Service had found evidence of Aflood or Coreflood on the Lopez computer.
"The Secret Service actually named Coreflood. That was very surprising. Normally, we don't get the final tally. We don't know who's account got stolen. It's very unusual to actually have a victim that is public, and everybody knows exactly what (was) taken."
Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart said Coreflood has a different agenda: "Its goal is to steal the data directly from users." The much more popular Storm botnet, he said, is more of a nuisance. "Coreflood has a real financial impact for people like Joe Lopez."
Who's behind Coreflood? Stewart declines to say, but in an interview in The New York Times, he suggested that the gang responsible was based somewhere in Russia. He would not tell me the name of the group because of ongoing criminal investigations.
In this video, Stewart talks about what first drew him to study the Coreflood botnet.
When Stewart heard about Lopez, he renewed his research on the Coreflood. With the help of Spamhaus, an antispam organization, Stewart and SecureWorks were able to gain cooperation from a Wisconsin-based provider of one of the command and control centers for the botnet. What he found was not only the bot's source code but also 50 gigabytes of compressed data, searchable in a MySQL database.
Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped life cycle--from infection to removal--of each compromised computer. Stewart found the average to be about 66 days.
The graph shows how one state policy agency was infected with Coreflood from April 2007 through January 2008.
(Credit: SecureWorks)Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.
"It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.
"So it's not so much a targeted attack," Stewart said. "But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company."
Later, the criminal gang responsible for the attack can find out which company it has infected by looking into the registry of the infected computer. "They pull out of the registry a separate request to say who is the registered owner the Windows license. They ship that information back up to the botnet controller."
Just looking at that one C&C server in Wisconsin, Stewart estimates that the gang responsible has infected more than 35,000 domains. It may sell those Web mail accounts to a spammer, because spammers love Web mail accounts. But over the years, Coreflood seems to have targeted only banks. Stewart knows this from the forensic evidence he's collected.
In this video, Stewart talks about digital forensics and what it can tell us about botnets such as Coreflood.
Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say, by a keylogging application. The Coreflood script will then capture the HTML data on the post-log-in page.
In most cases, that page also contains the account's bank balance. This is so that after running the test, the hackers have a picture of what the highest dollar amounts are, he said.
"I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account," he said. "We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first."
Coreflood does not take a screenshot, Stewart said, but rather scrapes the text out of the HTML. "When they run these tools, it leaves a log file behind, and all the post log-in (data)...are saved in that directory. So we have all of the account balances. So we can parse out what everyone's balance is and see actually how much (the thieves) had access to at any one institution."
In this video, Stewart talks about why Coreflood has been around since 2001, yet hardly anyone has been talking about it.
The problem is that Coreflood has been around since 2001.
"It's unique in that's been around for so long," Stewart said. Moreover, it's unusual that it seems to have been maintained by the same group, "not something that's been sold to another group," as is the case with some botnets.
The way it's managed to evade detection, Stewart said, is that it hasn't really crept high on anyone's list of botnets. "It's not on anyone's radar." Yet it's managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to these guys in Russia.
"To me, (Coreflood) is far more insidious because it doesn't get the attention," said Stewart. Unlike Storm, Coreflood is not constantly in your face. "You're not seeing new social-engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It's been quiet, and just does a few things, and tries not to garner any attention."
So the story of Lopez is significant. It's a tangible event about how online criminals are actually affecting people. It illustrates how much money got taken from an actual bank account, and the real impact on the victim's life. Unfortunately, there are many more botnets--and many more victims to talk about.
As CNET's resident security expert, Robert Vamosi has been interviewed on the BBC, CNN, MSNBC, and other outlets to share his knowledge about the latest online threats and to offer advice on personal and corporate security. Listen to his podcast at securitybites.cnet.com or e-mail Robert with your questions and comments.
- Topics:
-
Bots and botnets,
-
Criminal Hackers
- Tags:
-
security,
-
Joe Stewart,
-
CoreFlood,
-
Joe Lopez,
-
Bank of America,
-
malware,
-
botnet,
-
bots
- Share:
- Digg
- Del.icio.us
Some examples:
"The CoreFlood script will then capture the HTML data on the post long-in page. "
Whats a "long-in" page? Its not like the N and G keys are next to each other. Also "login" is one word, its not hyphenated.
Example: "Within that database were 378,758 unique bot IDs over a 16-month period."
Should be: "Within that database were 378,758 unique bot IDs COLLECTED over a 16-month period."
It sound like you're trying to measure data with a unit of time.
Example: "The Bank of America has since settled; ..."
Should be: "Bank of America has since settled;..."
The name of the bank is not "The Bank of America" its "Bank of America"
If you're going to have a person who's first language is not English write and article in English, YOU SHOULD EDIT IT. There are many more examples I could show you but I think I have made my point.
The overriding factor here, and what I consider of vital importance many times over and above any English imperfections, is that the author has highlighted 'To The World' a significant security threat that must be addressed by the authorities. Thankfully, many of us who had never heard of Coreflood are now aware!
I could not care 'two hoots' if he, or she, has made a spelling or grammar mistake! The information and content are the essential factors, not the pedantics of the stuffy, and sometimes illogical, English language! I'm English, and even I make mistakes on occasions!
Without doubt, the main point here is that this important issue has now been made public on a worthy news site for millions to read and be made aware of this significant threat. Hopefully, the various authorities will now instigate actions to deal with the issue and help place the 'Internet World' onto a little safer ground than it was before the article was written.
Finally, I would like to say to all those out there who are, in any way, 'technically challenged' by the English language; do not let the pedantic minority, who may be perfectionists in the subject, put you off writing and placing articles on informative sites! Keep up the good work of information dissemination, however bad the English, as I would rather see the important facts, than not see them at all.
Thank you cnet for a great web site & for download.com!
Well done to all those who try!
I got the point of the article, and overlooked the grammer.
thank you for the english lesson.
More important is the revalation of the outrageous crimes against computer users.
go back to your classroom.!
Gramma Trolls should be more careful when throwing stones under glass bridges.
In the last paragraph, it's "whose" not "who's" while "write and article" should be "write an article." (It's not like the N and D keys are next to each other.) Also, a comma is needed between "but" and "I" in the second sentence.
You also need to have some one teach you about the usage of "its" and "it's."
Lowenbrau212, since English is not your first language and you write in English, YOU SHOULD EDIT IT. Oh well - at least you got the "you're" correct. Next time, use "your" and make even a bigger fool of yourself.
AT LEAST I DON'T GET PAID TO WRITE ARTICLES AND POST THEM FOR THE WORLD TO SEE! Then you can criticize me.
IF... i was paid to write so called news articles and post them on a well polished "news" site for the world to read, you can be sure that before ANYTHING was posted on it, I would make sure that it was vetted for grammatical accuracy. But no no, don't criticize the paid professional, criticize the person who didn't even major in English in college for catching such obvious grammatical mistakes that even if I had written it, I would be embarrassed to put my name on it.
AND.... by the way, any grammatical mistakes that I made is still no where near as bad, as a so called paid professional "tech" journalist writing "long-in" page. HOW the f**k do you do that? Long-in? AND its f**king hyphenated!!! Plus I know that its not "The Bank of America".
And dallas7, first you complement me for properly spelling "you're", then you tell me to use "your" and to embarrass myself more. Wow, you are quite the debater, I should purposely make mistakes for you to criticize me and to further embarrass myself. That is like asking a boxer to punch himself so his opponent can win. Do you see the complete logical fallacy in you're suggestion, and how you inadvertently make yourself a fool? I doubt you do, in you're mind you win everything, right?
Disclaimer: I did not check this throw away comment for grammatical accuracy, I only used Firefox's built in spell check to catch any possible mistakes, I did not even proof read it, something that you learn to do in grammar school (that's a double entendre by the way), I do not have a company of hundreds of people to help me publish this comment, I do no have a full time editorial staff on hand to check my comments, I did not get paid to write this comment and If I had been paid to write this comment, I would be extremely embarrassed and return the money
Is there anything else you would like to say dallas7? aka cnet.com staffer.
Your and You're are easy to discern and most mistakes are made from hurry and not lack of knowledge.
For example your last sentence in the next to last paragraph states....."I doubt you do, in you're mind you win everything, right?" That should be your. Anytime you can use you are in place of it....good rule of thumb "remember that". Also, your shows ownership. Your book, Your dog. You're is used to substitute-"You're stupid" =You are stupid.. get my hint.
Now this was pretty "dumb" on your part- Your statement. "AT LEAST I DON'T GET PAID TO WRITE ARTICLES AND POST THEM FOR THE WORLD TO SEE! Then you can criticize me. "
No you just come in here free and offer attack. At least he does get paid. But you would not know anything about that now would you? I mean you think it is more profitable to go around correcting peoples language on public forums for free is worthy of some trophy of good will. Yea, I can see how free is MUCH better. You know if you were not so dumb I would be pissed. Now, I left you some errors to correct in my post because I want to make sure you have something to do. .See if you can find them. You're a moron. (You are a moron)...but in your case it could be "your " because you do show ownership to that. Remember if you can substitute you're for you are then you have the right tense every time. If you cannot then your choice is your. '
Now, if you want to debate.... I think I can handle you with no problem. For some reason I was thinking that you or one of your buddies have already had issues that to court for attacks before. Maybe next time there will be a permanent injunction against you on all sites. Not just one.
oh, and one more thing. ""Within that database were 378,758 unique bot IDs COLLECTED over a 16-month period."
I personally would have said. The recovered database yielded 378,758 unique bot ID's. that were used by the hackers over a 16 month period. But word placement and choice is like opinion ....we all have our favorite way. Or you could just add a "there" in front of were. I am not going to proof this just for you.
All these grammar trolls do pseudo posting like this for kicks I guess---go home kiddies!
They sure do not contribute anything constructive to the questions raised that come through loud and clear with a few tyyyypos.
Identity theft is the scourge of our cyberspace.
Large financial transactions should be accessed on bootable a Linux live cd/ dvd e.g, Knoppix or Sidux.
Any data can be saved on a usb thumb drive.
This goes a long way to avoid botnets and malware, as they cannot write to a plastic disk..
Guess this is too difficult for some though, and MS inspired identity theft will remain a way of life.
Some financial institutions are giving out such disks.
Linux and Unix OS's do not have this huge and vulnerable bloated MS footprint yet.
Guess real serious PYCCKN rooski etc spooks could find ways to try and get around this
Good Night, Good Luck.
I have a question for you. I run just the regular everyday Windows XP operating system. I have major problems that at this time I have not been able to eradicate. I am somewhat certain I am part of a bot. I suspect that as much as I complain and make it known by cutting them off and pulling the power to my computer (so they drop their in transfer packets) and just mess with them as much as I can safely. I run wire shark and have become quite familiar with the feel and sound of my computer when this "hacker" or bot runs. I have started posting their foot prints on areas in which I know they operate from. The social network sites are eat up with these folks. I find pieces of information on wireshark to hint at what they may be doing...... so I usually will go there to that site, find their blog, and post as much of the data as I can. I at least warn the people and give them a heads up.. My computer is iwindows but the interesting thing is that it is being controlled by a remote script command from some other place in the DOS mode. Yes, you heard me I run them both at same time at some points of the day.
My question is (sorry I will get to the question because I have yet to get help on this root kit thing). You mentioned running a Linux live CD and it is safer. Currently when I have my sensitive work to do or if I need to get into a credit bureau or some job related task from home I boot up with Ubuntu . Which is basically what you suggested. How safe is that from hackers? Since I am bypassing the hard drive . What can they do with a live disk. Can they still read my screens or take screen shots. I went to Ubuntu as a suggestion from a friend and I do not how much control I have over being certain they are not looking over my shoulder. Since so much of my work centers around the Privacy laws I have to be very careful. Now, there is nothing more that I would rather do....and that is find these people who have tormented me and slide them down a razor blade into a pool of alcohol and then pour salt in their cuts when finished. I just need some peace of mind that I am doing all I can to the extremes I can. Nothing gets rid of them . Believe me I have bought new computers, changed my emails, changed my IPS provider, and they get back in. I have run every spy ware, firewall, rootkit finder, virus protection, and even have my wireless encrypted with a 27 character encryption key. It usually takes them 30 min to penetrate anything new I put on here.
If you will please let me know what you know about the safety and privacy I addressed when booting from a CD I would really appreciate it.
No operating system is 100% from hackers. Ubuntu is much better than Windows but if you use programs like Firefox, it too can be infected.
The Safest way to browse the internet is by using what is called VMware Browser (see http://www.vmware.com/appliances/directory/80). This way, by using a "guest operating system" on a freshly minimal Windows XP install (your "host operating system"), you can be sure the data on your "host os" is safe from any infections your guest os might obtain (VMware Player is free too).
my condolences about your XP box, spybot search and destroy helps, wireshark and all your other efforts. However unfortunately, if they have already gained entry to your XP box, it might be backup, reformat and scan the backup as best you can, as it may reinfect, they are so cunning these days.
Using a broadband modem-router with a hardware firewall properly configured can make your box relatively invisible to the outside world. I stay with a wired setup as wireless still has security issues if it is not encrypted properly., and even then sometimes.
If you reload XP use a linux disk to reformat your drive as ntfs, such as pmagic, gparted etc
The bootable CD certainly helps, there are some files in RAM, but these are volatile, and harder to look at by cybercrooks from wherever.
Ubuntu is fairly safe, at this time much more so than XP. Another minimalist bootable cd is Puppy linux, which offers to save data to a USB drive, and is very fast, as it loads to RAM.
If you need ultra safe communication, I believe the bootable CD is the best option, and constant change frustrates the crooks, they like stable windows boxes with long boot times best to work their evil ways.
Cheers
I hear all the time people complain about how they hate people talking to them on messenger saying "ttyl, lmao, hay how's it goin" etc... Super bad grammar. It doesn't matter. The point is that the idea is put across. If someone says to me "hay wuts up", I instantly know they spelled it incorrectly, but I also use my BRAIN to translate it which takes less than .000001 seconds into "hey what's up".
You could also look at it this way --> If people don't use incorrect grammar how will you ever be reminded of what is correct or incorrect? It is practice in itself. Give yourself a gold star and be on your way.
Whether some words were spelled wrong or incorrect "grammar" was used I most certainly read the article and fully understood it. If all you got out of the article was bad grammar, I am deeply sorry for you. It's not rocket science to make sense of someones mistakes, the fact you can't see past that makes you look the fool.
Fantastic Article!!!