Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:39 PM
Connect Directly

Coreflood Botnet An Attractive Target For Takedown For Many Reasons

Old-school botnet provided an opportunity for a successful takeover in unprecedented operation by the DOJ, FBI

The Justice Department and FBI's operation to derail the 7-year-old Coreflood botnet set a precedent for how these criminal networks will be targeted by law enforcement, and the relatively old-school botnet's architecture made the feds' method of takedown especially attainable.

Officials from the DOJ yesterday announced that they were able to step between the botnet's servers and 2 million infected machines, or bots, by issuing "stop" commands to the bots calling home to the five command-and-control servers they seized that send instructions to the infected machines. In the most aggressive move by U.S. law enforcement ever to kill a botnet, the takedown effort came via some serious legal firepower, including a civil complaint, criminal seizure warrants, and a temporary restraining order.

The civil suit was filed by the U.S. Attorney's Office for the District of Connecticut against 13 "John Doe" defendants who allegedly engaged in wire fraud, bank fraud, and illegal interception of electronic communications with Coreflood. Coreflood experts say the botnet's two to three masterminds are included among the John Does. The feds also seized and took over 29 domain names used by the botnet, and used the temporary restraining order to cut the bots off from the botnet.

The DOJ worked with the Internet Systems Consortium (ISC), which set up its own decoy servers running a copy of the botnet source code obtained by researchers. "They wrote a version of the command-and-control software that sends nothing but the 'stop' command," says Don Jackson, a senior researcher with Dell SecureWorks' Counter Threat Unit and whose organization has studied the Russia-based Coreflood botnet for years and lent a hand in the DOJ case. So when the bots tried to reach out to the Coreflood C&S server for instructions, the commandeered servers intercepted the communications.

What made Coreflood such an attractive target for the feds was its relative size and simple architecture, as well as the fact that its servers were based in the U.S. Coreflood was a relatively small operation run by a single group. "It was fortunate in the way it uses domain names and is not state-of-the-art and as robust as other botnets. [That] certainly helped a lot ... They could use this as an opportunity for the first time to issue commands to a botnet," Jackson says.

Gunter Ollmann, vice president of research for Damballa, also feels this old-school botnet made it easier to intercept. "[Coreflood] doesn't possess many of the 'security features' present in more modern crimeware packages-- therefore there are no hurdles in this case in issuing unsigned commands to the botnet victims," Ollmann said in a blog post today. "A lot of the more popular Botnet construction kits today come with robust command signing and authentication systems to prevent rogue CnC servers (and competitor cybercriminals) issuing unauthorized commands to the botnet owner’s hoard of money-making zombies."

Just because Coreflood wasn't state-of-the art doesn't mean the feds can't expand on its newfound strategy with more technically sophisticated botnets, he says. "While the specific technique used against the Coreflood botnet may only apply to the older botnets, there are other techniques available to tackle more modern or sophisticated botnets," Ollmann says.

The feds stopped short of having the servers instruct the Coreflood bots to delete the bot code. "There was a conscious decision not to send a 'delete yourself' command," Dell SecureWorks' Jackson says. The risk was a self-deleting bot inadvertently causing a blue screen of death or other problems, he says.

And federal officials took great pains to clarify that people whose computers are Coreflood-infected can opt out from the temporary restraining order set up to stop the botnet, and that law enforcement would not access any information stored on their machines.

Cleanup is being spearheaded by Microsoft, which has added Coreflood -- a.k.a. Win21/Afcore -- detection to its Malicious Software Removal Tool (MSRT). The Microsoft Security Essentials anti-malware tool also detects the malware. ISPs also have lists of infected IP addresses so they can alert infected end users.

Coreflood has been well-known among the security researcher community for years. Joe Stewart, a botnet expert at Dell SecureWorks, in 2008 identified enhancements to the botnet that allowed it to spread like a worm and quietly steal hundreds of thousands of credentials from corporate users and other large organizations. The botnet was known for stealing money from compromised bank accounts.

Dell SecureWorks' Jackson says he and colleague Ben Feinstein in January of this year approached DoD officials at a conference in Atlanta about going after the relatively small botnet operation. "It was hitting inside companies," Jackson says, and had been around for nearly 10 years, so its derailment was long overdue.

But experts say there's no guarantee that Coreflood's operators ultimately will pay for their crimes -- they could potentially walk and then reinvent their operation with another botnet. "I am holding out hope. It would be unprecedented if they did" pay for their crimes, Dell SecureWorks' Jackson says. "This is unprecedented politically and with the cooperation between private and public" entities, he says. The challenge, however, will be how the Russian authorities handle the case.

"Coreflood has been around for so long, there have doubtless been organizational changes along the way, and the business model for this kind of crime is evolving constantly. That is why it is so crucial that law enforcement move quickly -- much more quickly than we have. That requires training and resources, and we need these things now," says Nick Selby, a cybercrime consultant and police officer who co-founded the Police Led Intelligence blog and podcast.

Meanwhile, the DOJ said the takedown doesn't eradicate Coreflood's malware or iterations of it, noting that another botnet could be erected using different versions of the malware or other malware.

Overall, security experts applauded the cooperative effort in the Coreflood case.

"There is clearly strong public and private momentum in the fight against botnets, and the Microsoft Digital Crimes Unit was happy to provide technical information from the lessons we learned from the recent Rustock and Waledac botnet takedowns to assist these agencies in their operation," said Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-12
A SQL Injection vulnerability in get_topic_info() in sys/CODOF/Forum/Topic.php in Codoforum before 4.9 allows remote attackers (pre-authentication) to bypass the admin page via a leaked password-reset token of the admin. (As an admin, an attacker can upload a PHP shell and execute remote code on the...
PUBLISHED: 2021-05-12
An issue was discovered in Wind River VxWorks 7. The memory allocator has a possible integer overflow in calculating a memory block's size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption.
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in the File Lock component of McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by manipulating a symbolic link in the IOTL interface.
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by impersonating a client token which could lead to the bypassing of MTP self-defense.
PUBLISHED: 2021-05-12
By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitra...