Coreflood Trojan Stole 500G of Personal Financial Data
A cache of stolen data gathered from a botnet that has been quietly sweeping
up information for years contained the user names and passwords for:
- 8,485 bank accounts
- 3,233 credit card accounts
- 151,000 e-mail accounts
- 58,391 social networking site accounts
- 4,237 online retailer accounts
- 416 stock trading accounts
- 869 payment processor accounts
- 413 mortgage accounts
- 422 finance company accounts
The Coreflood Trojan responsible for the infections has been around in one
form or another since 2002, said Joe Stewart, director of malware research for
SecureWorks Inc. The botnet is being used by a Russian crime group on whose
command and control server Stewart found the stolen information. The data, which
amounts to nearly 500 gigabytes, represents only six months of operations.
"They had erased the previous directories, probably because they didn't
have room to keep it," Stewart said.
He estimated the group has stolen four times that amount of data, giving them
access to accounts worth millions.
Stewart shared some of his research on Coreflood Wednesday at the Black Hat
Briefings security conference. Because the Trojan has been circulating largely
under the radar and spreads throughout an organization using a network administrator's
privileges, it can be particularly insidious, he said.
"In the case of Coreflood, you've got people infected who didn't do anything
wrong," such as visiting suspect Web sites, letting their anti-virus lapse or
other unsafe computing practices. Because of this, it can take some expertise
in IT security to be confident you are not infected. That has implications for
the growing online economy. "If you're not an expert, you probably shouldn't
be online doing financial transactions," he said. "I am very worried about anybody
using Windows and banking online."
The Trojan apparently has been around since 2002, when it was being used for
distributed denial-of-service attacks. It has since evolved to selling anonymity
services and to full-fledged back fraud. Computers are infected through a browser
exploit using ActiveX controls, and the Coreflood installer is then downloaded.
Once a computer in an organization has been infected, the Trojan can wait until
an administrator logs on to that computer, then gains the administrator's privileges
to spread to the rest of the computers in the network.
Coreflood is not an unknown Trojan and anti-virus engines routinely update
their signatures for it, as with other forms of malware in the wild. But it
has not gained a lot of notoriety because its handlers apparently are not offering
the exploit or their data on the open market. When Stewart stumbled on the database
of stolen data on the command and control server, he found records of more than
378,000 bot IDs covering 16 months. The average lifespan for a Coreflood bot
is 66 days.
The hackers cull through the information slowly.
"It is likely they are looking for the larger accounts," Stewart
said. He found a group of 740 accounts for one bank, of which the hackers had
managed to examine just 79. They ran log-in scripts on those accounts, which
often replied with account balances. The 79 accounts had total balances of $281,000.
The average size of each account was about $4,500 for a savings account and
$2,000 for checking, but the largest account was $147,000.
They have been taking money out, Stewart said; in one case as much as $100,000.
But the compromises can go unnoticed for a long time because of the sheer volume
of data the criminals must go through.
"You may not see any activity on an account for months," he said.
"They just don't have the time to go through it all."
The obvious question is, with all of this information available, why is Coreflood
still out there?
"I wonder myself sometimes how they stay in business," Stewart said. The original
command and control server was shut down by the service provider after it was
discovered, but it was moved to a different server and is back in business.
U.S. law enforcement agencies do not have the clout needed to prosecute the
Russian criminals, he said.
"The relationships are not as good as they need to be to have effective
action taken," he said. "The people in law enforcement tell me that
to get anything done, they have to go through diplomatic channels," which
can take years. "There has to be political pressure brought to bear. It
has to be a priority."
So far this has not happened, but "we think there might be a better chance of
getting these guys because of who they have infected," Stewart said. Among those
compromised organizations with records found by Stewart was a state police department.