Poncheg.com - State & Community News Blog

In February of 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 fraudulent wire transfer to the Parex Bank in Latvia. Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.

Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as “CoreFlood” prior to April 6, 2004, when the alleged theft took place. Shortly after the wire transfer occurred, the sum of $20,000 was withdrawn from Parex by unknown individuals, according to the complaint filed in court. The remaining sum was, however, frozen by Latvian banking authorities. The Bank of America has since settled; neither side has revealed the terms.

“I had probably heard the news about Joe Lopez but (until recently) I hadn’t thought twice about the whole CoreFlood episode of a few years ago,” admitted Joe Stewart, director of Malware Research at SecureWorks when I spoke to him at last summer’s Black Hat conference in Las Vegas. In particular, Stewart recalled hearing that the U.S. Secret Service had found evidence of AFlood or CoreFlood on the Lopez computer. “Wow,” he said, growing animate, “the Secret Service actually named CoreFlood. That was very surprising. Normally, we don’t get the final tally. We don’t know who’s account got stolen. It’s very unusual to actually have a victim that is public and everybody knows exactly what taken.”

Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart says Coreflood has a different agenda. “Its goal is to steal the data directly from users.” The much more popular Storm botnet, he says, is more of a nuisance. “Coreflood has a real financial impact for people like Joe Lopez.”

Who’s behind CoreFlood? Stewart declines to say, but in an interview in The New York Times he suggested the gang responsible was based somewhere in Russia. He would not tell me the name of the group because of ongoing criminal investigations.

In this video Stewart talks about what first drew him to study the CoreFlood botnet.

When Stewart heard about Lopez, he renewed his research on the botnet. With the help of Spamhaus, an antispam organization, Stewart and SecureWorks were able to gain cooperation from a Wisconsin-based provider of one of the command and control centers for CoreFlood. What Stewart found was not only the bot’s source code but also 50 gigabytes of compressed data, searchable in a MySQL database. Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped lifecycle–from infection to removal–of each compromised computer. Stewart found the average to be about 66 days.

The graph shows how one state policy agency was infected with Coreflood from April 2007 through January 2008.

(Credit: SecureWorks)

Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft. “It could happen to anybody,” he said, “any user who happened to go to the wrong site.” If the user also happened to be the corporate network when that happens, the bot is then able to take advantage of that structure and is able to be a threat to everyone on that network.
“So it’s not so much a targeted attack,” Stewart said. “But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company.”

Later, the criminal gang responsible for the infect can find out which company they’ve infected by looking into the registry of the infected computer. “They pull out of the registry a separate request to say who is the registered owner the Windows license. They ship that information back up to the botnet controller.”

Just looking at that one C&C server in Wisconsin, Stewart estimates the gang responsible has infected more than 35,000 different domains. They may sell those Web mail accounts to a spammer, because spammers love Web mail accounts. But over the years, CoreFlood seems to have only targeted banks. Stewart knows this from the forensic evidence he’s collected.

In this video, Stewart talks about digital forensics and what it can tell us about botnets such as CoreFlood.

Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say by a keylogging application. The CoreFlood script will then capture the HTML data on the post long-in page. In most cases, that page also contains the account’s bank balance. They do that, he said, so that after running the test they have a picture of what are the highest dollar amounts. “I don’t know whether they steal from all of them. We don’t have access to the accounts; the bank is not going to tell us how much was stolen out of any given account. We’re not going to get that information, but we know they’re actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first,” he said.

This is not taking a screenshot, he said, but scraping the text out of the HTML. “When they run these tools, it leaves a log file behind and all the post log in the page that downloaded during the test are saved in that directory. So we have all of the account balances. So we can parse out what everyone’s balance is and see actually how much (the thieves) had access to at any one institution.”

In this video, Stewart talks about why Coreflood has been around since 2001, yet hardly anyone has been talking about it.

The problem is CoreFlood’s been around since 2001.

“It’s unique in that’s been around for so long,” Stewart said. Moreover, it’s unusual that it seems to have been maintained by the same group “not something that’s been sold to another group” like some botnets. The way it’s managed to evade detection, Stewart says, is that it hasn’t really crept high on anyone’s list of botnets. “It’s not on anyone’s radar.” Yet it’s managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to these guys in Russia.

“To me, (CoreFlood)’s is far more insidious because it doesn’t get the attention,” said Stewart. Unlike Storm, CoreFlood is not constantly in your face. “You’re not seeing new social engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It’s been quiet, and just does a few things, and tries not to garner any attention.”

So the story of Lopez is significant. It’s a tangible event about how online criminals are actually affecting people. “Here’s how much money got taken from a bank account, here’s the real impact on someone’s life.” Unfortunately, there are many more botnets, and many more victims to talk about.