News

Coreflood Trojan Stole 500G of Personal Financial Data

• By William Jackson
• August 7, 2008

• 8,485 bank accounts
• 3,233 credit card accounts
• 151,000 e-mail accounts
• 58,391 social networking site accounts
• 4,237 online retailer accounts
• 416 stock trading accounts
• 869 payment processor accounts
• 413 mortgage accounts
• 422 finance company accounts

The Coreflood Trojan responsible for the infections has been around in one form or another since 2002, said Joe Stewart, director of malware research for SecureWorks Inc. The botnet is being used by a Russian crime group on whose command and control server Stewart found the stolen information. The data, which amounts to nearly 500 gigabytes, represents only six months of operations.

"They had erased the previous directories, probably because they didn't have room to keep it," Stewart said.

He estimated the group has stolen four times that amount of data, giving them access to accounts worth millions.

Stewart shared some of his research on Coreflood Wednesday at the Black Hat Briefings security conference. Because the Trojan has been circulating largely under the radar and spreads throughout an organization using a network administrator's privileges, it can be particularly insidious, he said.

"In the case of Coreflood, you've got people infected who didn't do anything wrong," such as visiting suspect Web sites, letting their anti-virus lapse or other unsafe computing practices. Because of this, it can take some expertise in IT security to be confident you are not infected. That has implications for the growing online economy. "If you're not an expert, you probably shouldn't be online doing financial transactions," he said. "I am very worried about anybody using Windows and banking online."

The Trojan apparently has been around since 2002, when it was being used for distributed denial-of-service attacks. It has since evolved to selling anonymity services and to full-fledged back fraud. Computers are infected through a browser exploit using ActiveX controls, and the Coreflood installer is then downloaded. Once a computer in an organization has been infected, the Trojan can wait until an administrator logs on to that computer, then gains the administrator's privileges to spread to the rest of the computers in the network.

Coreflood is not an unknown Trojan and anti-virus engines routinely update their signatures for it, as with other forms of malware in the wild. But it has not gained a lot of notoriety because its handlers apparently are not offering the exploit or their data on the open market. When Stewart stumbled on the database of stolen data on the command and control server, he found records of more than 378,000 bot IDs covering 16 months. The average lifespan for a Coreflood bot is 66 days.

The hackers cull through the information slowly.

"It is likely they are looking for the larger accounts," Stewart said. He found a group of 740 accounts for one bank, of which the hackers had managed to examine just 79. They ran log-in scripts on those accounts, which often replied with account balances. The 79 accounts had total balances of $281,000. The average size of each account was about $4,500 for a savings account and $2,000 for checking, but the largest account was $147,000.

They have been taking money out, Stewart said; in one case as much as $100,000. But the compromises can go unnoticed for a long time because of the sheer volume of data the criminals must go through.

"You may not see any activity on an account for months," he said. "They just don't have the time to go through it all."

The obvious question is, with all of this information available, why is Coreflood still out there?

"I wonder myself sometimes how they stay in business," Stewart said. The original command and control server was shut down by the service provider after it was discovered, but it was moved to a different server and is back in business. U.S. law enforcement agencies do not have the clout needed to prosecute the Russian criminals, he said.

"The relationships are not as good as they need to be to have effective action taken," he said. "The people in law enforcement tell me that to get anything done, they have to go through diplomatic channels," which can take years. "There has to be political pressure brought to bear. It has to be a priority."

So far this has not happened, but "we think there might be a better chance of getting these guys because of who they have infected," Stewart said. Among those compromised organizations with records found by Stewart was a state police department.