Wednesday, April 13, 2011

Bold FBI Move Shutters COREFLOOD Bot

In February 2005, John Leyden told the story of Joe Lopez a 42 year old businessman in Miami Florida who sued his bank after having $90,348 wired out of his account to Parex Bank in Riga, Latvia. The US Secret Service examined his computer and found that his system was infected with the Coreflood trojan.

Where did the money go? According to USA Today's Byron Acohido, someone named Yanson Arnold withdrew $20,000 of the money three days later.

The story was featured on NBC Nightly News on December 14, 2004, in a story called The Fleecing Of America which indicated the money had been stolen via the CoreFlood Virus.

In June of 2008, Joe Stewart, International Grandmaster of Malware Reverse Engineering, released a report called Coreflood/AFcore Trojan Analysis. He started his report by calling attention to five highlights:

1. One of the oldest botnets in continuous operation (+6 years)
2. Motive turned from DDoS to selling anonymity services to full-fledged bank fraud
3. Entire Windows domains infected at once (thousands of computers at some organizations)
4. Over 378,000 computers infected during 16-month time frame
5. Infected businesses, hospitals, government organizations, and even a state police agency

When Joe worked with Spamhaus back then to investigate an active C&C they found FIFTY GIGABYTES of compressed data, stolen over the course of two years, with a MySQL database that the criminal was using to track which information it had stolen from 378,758 unique bots over a period of 16 months. At one point, Joe's report shows "a major hotel chain" with over 7,000 infected computers, and a State Police agency with over 110 infected computers! Among the data stolen were 8,485 bank passwords, 3,233 credit card passwords, 151,000 email passwords, and 58,391 social networking site passwords. At that time, in 2008, the controller domains were: mcupdate.net, joy4host.com, and antrexhost.com.

Here we are in April 2011 -- almost three years later, and "antrexhost.com" is still an active C&C for the domain, which is still stealing money, despite being featured on NBC Nightly News, USA Today, and discussed by name by the White House's Howard Schmidt.

All of that may have come to an end today, as announced by today's FBI Press Release headline was Department of Justice Takes Action to Disable International Botnet. The botnet in question is known as Coreflood, and according to court papers released by the FBI's New Haven Field Office, a pair of Command & Control servers, located at 207.210.74.74 and 74.63.232.233 were controlling 2,336,542 infected computers as of February 2010. Of those, 1,853,005 were located in the United States.

207.210.74.74 is a server on the Global Net Access system, that hosted a domain called jane.unreadmsg.net. vaccina.medinnovation.org was the C&C name on 74.63.232.233


From the request for a Temporary Restraining Order filed by Assistant US Attorney Edward Chang:

12. The Coreflood Botnet was used, among other things,
to commit financial fraud. Infected computers in the Coreflood
Botnet automatically recorded the keystrokes and Internet
communications of unsuspecting users, including online banking
credentials and passwords. The stolen data was then sent to one
or more Coreflood C&C servers, where it was stored for review by
the Defendants and their co-conspirators. The Coreflood C&C
servers also stored the network and operating system
characteristics of the infected computers. The Defendants and
their co-conspirators used the stolen data, including online
banking credentials and passwords, to direct fraudulent wire
transfers from the bank accounts of their victims.

13. The victims of the fraud scheme described above
included, inter alia:

a. A real estate company in Michigan, from whose bank
account there were fraudulent wire transfers made in a
total amount of approximately $115,771;

b. A law firm in South Carolina, from whose bank account
there were fraudulent wire transfers made in a total
amount of approximately $78,421;

c. An investment company in North Carolina, from whose
bank account there were fraudulent wire transfers made
in a total amount of approximately $151,201; and

d. A defense contractor in Tennessee, from whose bank
account there were fraudulent wire transfers attempted
in a total amount of approximately $934,528, resulting
in an actual loss of approximately $241,866.

The full extent of the financial loss caused by the Coreflood
Botnet is not known, due in part to the large number of infected
computers and the quantity of stolen data.



Here are some of the hostnames that were used by Coreflood -- some dates are in the future, indicating that the bot had the ability to change to new names over time, to prevent just the sort of shutdown that occurred today:


C&C SERVER ASSIGNED 207.210.74.74
MonthPrimary Domain Alternate Domain
1/2011 a-gps.vip-studions.net old.antrexhost.com
2/2011 dru.realgoday.net marker.antrexhost.com
3/2011 brew.fishbonetree.biz spamblocker.antrexhost.com
4/2011 jane.unreadmsg.net ads.antrexhost.com
5/2011 exchange.stafilocox.net cafe.antrexhost.com
6/2011 ns1.diplodoger.com coffeeshop.antrexhost.com
7/2011 a-gps.vip-studions.net old.antrexhost.com
8/2011 dru.realgoday.net marker.antrexhost.com
9/2011 brew.fishbonetree.biz spamblocker.antrexhost.com
10/2011 jane.unreadmsg.net ads.antrexhost.com
11/2011 exchange.stafilocox.net cafe.antrexhost.com
12/2011 ns1.diplodoger.com coffeeshop.antrexhost.com

C&C SERVER ASSIGNED 74.63.232.233

Month Primary Domain Alternate Domain
1/2011 taxadvice.ehostville.com taxfree.nethostplus.net
2/2011 ticket.hostnetline.com accounts.nethostplus.net
3/2011 flu.medicalcarenews.org logon.nethostplus.net
4/2011 vaccina.medinnovation.org imap.nethostplus.net
5/2011 ipadnews.netwebplus.net onlinebooking.nethostplus.net
6/2011 acdsee.licensevalidate.net imap.nethostplus.net
7/2011 wellness.hostfields.net pop3.nethostplus.net
8/2011 savupdate.licensevalidate.netschedules.nethostplus.net
9/2011 wiki.hostfields.netmediastream.nethostplus.net
10/2011taxadvice.ehostville.com taxfree.nethostplus.net
11/2011 ticket.hostnetline.com accounts.nethostplus.net
12/2011 flu.medicalcarenews.org logon.nethostplus.net


In addition to the affidavit for the TRO, FBI Special Agent Kenneth Keller got a most unusual Seizure Warrant. With the warrant, they requested that the court compel the Registrars of the 24 domain names posted above to change the DNS settings for the servers, so that they would resolve to SINKHOLE-00.SHADOWSERVER.ORG and SINKHOLE-01.SHADOWSERVER.ORG.

To maximize the difficult of taking down this bot, the criminal spread his domain registrations all over the world. He used Wild West Domains (US-AZ), Above.com (of Australia), Big Rock Solutions (of Mumbai), LiquidNet (UK), Network Solutions (US-Virginia), Active Registrar (SIngapore), 1&1 Internet (Germany), TuCows (Toronto), Dotster (US-Washington), MyDomain, Inc (US-Washington), DomainRegistry.com (US-New Jersey), and Melbourne IT (which is Yahoo!'s registrar of choice), Mesh Digital (UK), Misk.com (US-NY), Moniker (US-Florida), and Directi (India).

Obviously a US court order has little impact in Mumbai or Singapore, so it was important to get this done when the "active" domains were US-based.

A "SinkHole" in the cyber security world is a trick that is invoked to cause botnets who are trying to talk to a criminal server to instead talk to a computer owned by a researcher or investigator. Its a great way for both measuring levels of infection and also for preventing the bad guy from being able to talk to his bots.

In this case, the sinkhole went beyond this though. Here comes the cool part from this Temporary Restraining Order issued by the Honorable (and very smart!) Vanessa L. Bryant.

WHEREAS the Government has shown good cause to believe: (a) that hundreds of thousands of computers are infected by Coreflood, known collectively as the "Coreflood Botnet"; (b) that the computers infected by Coreflood can be remotely controlled by the
Defendants, using certain computer servers known as the "Coreflood C&C Servers" and certain Domains"; (c) that, on or about April 12, 2011, the Government will execute seizure warrants for the Coreflood C&C Servers and the Coreflood Domains; (d) that the Government's seizuer of the Coreflood C&C Servers and the Coreflood Domains will leave the infected computers still running Coreflood; (e) that allowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and an increased risk of further computer intrusions; and (f) that it is feasible to stop Coreflood from running on infected computers by establishing a substitute command and control server;

WHEREAS the Coreflood Domains are listed in Schedule A, together with the corresponding registry, registar, and domain name service ("DNS") provider (collectively, the "Domain Service Providers") used by the Defendants with respect to each of the Coreflood Domains;

WHEREAS the Government has shown good cause to believe that: (a) it is reasonably likely that the Government can show that the Defendants are committing wire fraud and bank fraud and are engaging in unauthorized interception of electronic communications, as alleged; (b) it is reasonably likely that the Government can show a continuing and substantial injury to a class of persons, viz., the owners and users of computers infected by Coreflood; and (c) it is reasonably likely that the Government can show that the requested restraining order will prevent or ameliorate injury to that class of persons;

(etc...)

Pursuant to the authority granted by 28 U.S.C. $ 566, the United States Marshal for the District of Connecticut ("USMS") shall execute and enforce this Order, with the assistance of the Federal Bureau of Investigation ("FBI") if needed, by establishing a substitute server at the Internet Systems Consortium...that will respond to requests addressed to the Coreflood DOmains by issuing instructions that will cause the Coreflood software on infected computers to stop running, subject to the limitation that such instructions shall be issued only to computers reasonably determined to be in the United States.


The Restraining Order gave blanket permission for anything that was using the DNS servers "NS1.CYBERWATCHFLOOR.COM" (204.74.66.143) or "NS1.CYBERWATCHFLOOR.COM" (204.74.67.143) to instead point to Special Agent Kenneth Keller's server 149.20.51.124.




Of course, some people may not want the Department of Justice telling their computer what to do. Because of that possibility, the FBI Press Release offers the option:

The Department of Justice and FBI, working with Internet service providers around the country, are committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood. Identified owners of infected computers will also be told how to "opt out" from the TRO, if for some reason they want to keep Coreflood running on their computers.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.