Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/14/2011
03:39 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Coreflood Botnet An Attractive Target For Takedown For Many Reasons

Old-school botnet provided an opportunity for a successful takeover in unprecedented operation by the DOJ, FBI

The Justice Department and FBI's operation to derail the 7-year-old Coreflood botnet set a precedent for how these criminal networks will be targeted by law enforcement, and the relatively old-school botnet's architecture made the feds' method of takedown especially attainable.

Officials from the DOJ yesterday announced that they were able to step between the botnet's servers and 2 million infected machines, or bots, by issuing "stop" commands to the bots calling home to the five command-and-control servers they seized that send instructions to the infected machines. In the most aggressive move by U.S. law enforcement ever to kill a botnet, the takedown effort came via some serious legal firepower, including a civil complaint, criminal seizure warrants, and a temporary restraining order.

The civil suit was filed by the U.S. Attorney's Office for the District of Connecticut against 13 "John Doe" defendants who allegedly engaged in wire fraud, bank fraud, and illegal interception of electronic communications with Coreflood. Coreflood experts say the botnet's two to three masterminds are included among the John Does. The feds also seized and took over 29 domain names used by the botnet, and used the temporary restraining order to cut the bots off from the botnet.

The DOJ worked with the Internet Systems Consortium (ISC), which set up its own decoy servers running a copy of the botnet source code obtained by researchers. "They wrote a version of the command-and-control software that sends nothing but the 'stop' command," says Don Jackson, a senior researcher with Dell SecureWorks' Counter Threat Unit and whose organization has studied the Russia-based Coreflood botnet for years and lent a hand in the DOJ case. So when the bots tried to reach out to the Coreflood C&S server for instructions, the commandeered servers intercepted the communications.

What made Coreflood such an attractive target for the feds was its relative size and simple architecture, as well as the fact that its servers were based in the U.S. Coreflood was a relatively small operation run by a single group. "It was fortunate in the way it uses domain names and is not state-of-the-art and as robust as other botnets. [That] certainly helped a lot ... They could use this as an opportunity for the first time to issue commands to a botnet," Jackson says.

Gunter Ollmann, vice president of research for Damballa, also feels this old-school botnet made it easier to intercept. "[Coreflood] doesn't possess many of the 'security features' present in more modern crimeware packages-- therefore there are no hurdles in this case in issuing unsigned commands to the botnet victims," Ollmann said in a blog post today. "A lot of the more popular Botnet construction kits today come with robust command signing and authentication systems to prevent rogue CnC servers (and competitor cybercriminals) issuing unauthorized commands to the botnet owner’s hoard of money-making zombies."

Just because Coreflood wasn't state-of-the art doesn't mean the feds can't expand on its newfound strategy with more technically sophisticated botnets, he says. "While the specific technique used against the Coreflood botnet may only apply to the older botnets, there are other techniques available to tackle more modern or sophisticated botnets," Ollmann says.

The feds stopped short of having the servers instruct the Coreflood bots to delete the bot code. "There was a conscious decision not to send a 'delete yourself' command," Dell SecureWorks' Jackson says. The risk was a self-deleting bot inadvertently causing a blue screen of death or other problems, he says.

And federal officials took great pains to clarify that people whose computers are Coreflood-infected can opt out from the temporary restraining order set up to stop the botnet, and that law enforcement would not access any information stored on their machines.

Cleanup is being spearheaded by Microsoft, which has added Coreflood -- a.k.a. Win21/Afcore -- detection to its Malicious Software Removal Tool (MSRT). The Microsoft Security Essentials anti-malware tool also detects the malware. ISPs also have lists of infected IP addresses so they can alert infected end users.

Coreflood has been well-known among the security researcher community for years. Joe Stewart, a botnet expert at Dell SecureWorks, in 2008 identified enhancements to the botnet that allowed it to spread like a worm and quietly steal hundreds of thousands of credentials from corporate users and other large organizations. The botnet was known for stealing money from compromised bank accounts.

Dell SecureWorks' Jackson says he and colleague Ben Feinstein in January of this year approached DoD officials at a conference in Atlanta about going after the relatively small botnet operation. "It was hitting inside companies," Jackson says, and had been around for nearly 10 years, so its derailment was long overdue.

But experts say there's no guarantee that Coreflood's operators ultimately will pay for their crimes -- they could potentially walk and then reinvent their operation with another botnet. "I am holding out hope. It would be unprecedented if they did" pay for their crimes, Dell SecureWorks' Jackson says. "This is unprecedented politically and with the cooperation between private and public" entities, he says. The challenge, however, will be how the Russian authorities handle the case.

"Coreflood has been around for so long, there have doubtless been organizational changes along the way, and the business model for this kind of crime is evolving constantly. That is why it is so crucial that law enforcement move quickly -- much more quickly than we have. That requires training and resources, and we need these things now," says Nick Selby, a cybercrime consultant and police officer who co-founded the Police Led Intelligence blog and podcast.

Meanwhile, the DOJ said the takedown doesn't eradicate Coreflood's malware or iterations of it, noting that another botnet could be erected using different versions of the malware or other malware.

Overall, security experts applauded the cooperative effort in the Coreflood case.

"There is clearly strong public and private momentum in the fight against botnets, and the Microsoft Digital Crimes Unit was happy to provide technical information from the lessons we learned from the recent Rustock and Waledac botnet takedowns to assist these agencies in their operation," said Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...