Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/14/2011
03:39 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Coreflood Botnet An Attractive Target For Takedown For Many Reasons

Old-school botnet provided an opportunity for a successful takeover in unprecedented operation by the DOJ, FBI

The Justice Department and FBI's operation to derail the 7-year-old Coreflood botnet set a precedent for how these criminal networks will be targeted by law enforcement, and the relatively old-school botnet's architecture made the feds' method of takedown especially attainable.

Officials from the DOJ yesterday announced that they were able to step between the botnet's servers and 2 million infected machines, or bots, by issuing "stop" commands to the bots calling home to the five command-and-control servers they seized that send instructions to the infected machines. In the most aggressive move by U.S. law enforcement ever to kill a botnet, the takedown effort came via some serious legal firepower, including a civil complaint, criminal seizure warrants, and a temporary restraining order.

The civil suit was filed by the U.S. Attorney's Office for the District of Connecticut against 13 "John Doe" defendants who allegedly engaged in wire fraud, bank fraud, and illegal interception of electronic communications with Coreflood. Coreflood experts say the botnet's two to three masterminds are included among the John Does. The feds also seized and took over 29 domain names used by the botnet, and used the temporary restraining order to cut the bots off from the botnet.

The DOJ worked with the Internet Systems Consortium (ISC), which set up its own decoy servers running a copy of the botnet source code obtained by researchers. "They wrote a version of the command-and-control software that sends nothing but the 'stop' command," says Don Jackson, a senior researcher with Dell SecureWorks' Counter Threat Unit and whose organization has studied the Russia-based Coreflood botnet for years and lent a hand in the DOJ case. So when the bots tried to reach out to the Coreflood C&S server for instructions, the commandeered servers intercepted the communications.

What made Coreflood such an attractive target for the feds was its relative size and simple architecture, as well as the fact that its servers were based in the U.S. Coreflood was a relatively small operation run by a single group. "It was fortunate in the way it uses domain names and is not state-of-the-art and as robust as other botnets. [That] certainly helped a lot ... They could use this as an opportunity for the first time to issue commands to a botnet," Jackson says.

Gunter Ollmann, vice president of research for Damballa, also feels this old-school botnet made it easier to intercept. "[Coreflood] doesn't possess many of the 'security features' present in more modern crimeware packages-- therefore there are no hurdles in this case in issuing unsigned commands to the botnet victims," Ollmann said in a blog post today. "A lot of the more popular Botnet construction kits today come with robust command signing and authentication systems to prevent rogue CnC servers (and competitor cybercriminals) issuing unauthorized commands to the botnet owner’s hoard of money-making zombies."

Just because Coreflood wasn't state-of-the art doesn't mean the feds can't expand on its newfound strategy with more technically sophisticated botnets, he says. "While the specific technique used against the Coreflood botnet may only apply to the older botnets, there are other techniques available to tackle more modern or sophisticated botnets," Ollmann says.

The feds stopped short of having the servers instruct the Coreflood bots to delete the bot code. "There was a conscious decision not to send a 'delete yourself' command," Dell SecureWorks' Jackson says. The risk was a self-deleting bot inadvertently causing a blue screen of death or other problems, he says.

And federal officials took great pains to clarify that people whose computers are Coreflood-infected can opt out from the temporary restraining order set up to stop the botnet, and that law enforcement would not access any information stored on their machines.

Cleanup is being spearheaded by Microsoft, which has added Coreflood -- a.k.a. Win21/Afcore -- detection to its Malicious Software Removal Tool (MSRT). The Microsoft Security Essentials anti-malware tool also detects the malware. ISPs also have lists of infected IP addresses so they can alert infected end users.

Coreflood has been well-known among the security researcher community for years. Joe Stewart, a botnet expert at Dell SecureWorks, in 2008 identified enhancements to the botnet that allowed it to spread like a worm and quietly steal hundreds of thousands of credentials from corporate users and other large organizations. The botnet was known for stealing money from compromised bank accounts.

Dell SecureWorks' Jackson says he and colleague Ben Feinstein in January of this year approached DoD officials at a conference in Atlanta about going after the relatively small botnet operation. "It was hitting inside companies," Jackson says, and had been around for nearly 10 years, so its derailment was long overdue.

But experts say there's no guarantee that Coreflood's operators ultimately will pay for their crimes -- they could potentially walk and then reinvent their operation with another botnet. "I am holding out hope. It would be unprecedented if they did" pay for their crimes, Dell SecureWorks' Jackson says. "This is unprecedented politically and with the cooperation between private and public" entities, he says. The challenge, however, will be how the Russian authorities handle the case.

"Coreflood has been around for so long, there have doubtless been organizational changes along the way, and the business model for this kind of crime is evolving constantly. That is why it is so crucial that law enforcement move quickly -- much more quickly than we have. That requires training and resources, and we need these things now," says Nick Selby, a cybercrime consultant and police officer who co-founded the Police Led Intelligence blog and podcast.

Meanwhile, the DOJ said the takedown doesn't eradicate Coreflood's malware or iterations of it, noting that another botnet could be erected using different versions of the malware or other malware.

Overall, security experts applauded the cooperative effort in the Coreflood case.

"There is clearly strong public and private momentum in the fight against botnets, and the Microsoft Digital Crimes Unit was happy to provide technical information from the lessons we learned from the recent Rustock and Waledac botnet takedowns to assist these agencies in their operation," said Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Vulnerability Disclosure Programs See Signups & Payouts Surge
Kelly Sheridan, Staff Editor, Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...