Thursday, July 17, 2008

Russian Cybercrooks, CoreFlood, and the Amazing Joe Stewart

If the Anti-Virus world was run like the Chess world, we would all know Joe Stewart from SecureWorks as an International GrandMaster of Malware Analysis. One of the advantages of being an International GrandMaster of Malware Analysis is that you get to shine spotlights on really bad stuff -- and people listen! I'm talking about Stewart's excellent article in yesterday's USA Today on the Coreflood Gang. Before I returned home to find a copy of the article clipped and laying by my recliner by my dutiful paper-reading mother-in-law, I had several queries about "the Coreflood Gang", and I didn't know they even existed. Coreflood was a word from distant memory, dealing with pre-Windows XP machines for me. In fact the first searches I did took me to articles such as this 2003 Redmondmag article where Chris Belthoff from Sophos explains how the virus works. With a little digging we are able to see that the Coreflood Gang is Stewart's name for the group who is applying this virus from "ancient history" in Internet years to
a new purpose and with a much higher payback. Other common names for the virus were Corefloo and AFCore.

The article, which seems a rehash of the Robert McMillan IDG article, (here from InfoWOrld): Trojan lurks, waiting to steal admin passwords, from July 2nd, is a much-needed escalation from the technical press to the general public. Unfortunately it rings an alarm bell without giving any of the necessary details to know what to do about the possibility of your own machines being infected.

It lays out a situation where Stewart was able to come into possession of a cache of data which was harvested by the trojan he has dubbed Coreflood. The server contained MORE THAN 500 GIGABYTES of stolen data in compressed form, showing evidence of 378,758 unique Coreflood infections inside thousands of organizations.

The chart that accompanies the article discusses single organizations, including hospitals, hotel chains, universities, and school districts, which had many hundreds of infections located at a single organization. The worst example was a school district where more than 31,000 computers had been infected with this trojan.

As the PC World article made clear, the reason this type of infection is possible is because of a program called "PsExec", which is a SysInternals program currently distributed by Microsoft. The purpose of PsExec is to allow a Windows Domain Administrator to perform remote administrative tasks on machines throughout their network. The thing which has made the CoreFlood trojan, first disclosed in 2001, suddenly newsworthy is its use of this tool. As Stewart explains in his Technical Analysis of Coreflood/AFCore, infected hosts lie in wait on their networks, waiting for a Domain Level Administrator to log in to the box. When the trojan detects that it has Domain Administrator privileges, it then uses its copy of PsExec to perform a remote installation on all of the other hosts where that Domain Administrator account has control. A single infected computer can then become an entire network of infected computers in a matter of minutes!

Once infected, the computer becomes part of a very professional and elaborate botnet control system, which uses an SQL Database to sift, sort, and manage all of the data which it has stolen from keyloggers and files on its infected machines. In this way the controllers of Coreflood can make simple queries to their central database of stolen data such as, "Show me a bank account on Bank XYZ, where the balance is greater than $100,000!"

As I'm sure interest will be high in this virus after the story, I thought I would give some more hints on finding the AV program articles about it. (Since googling on CoreFlood will give you 2,000 blog articles on Joe's article!)

McAfee has been following malware called CoreFlood since at least October of 2001. As recently as July 3, 2008 they mention Coreflood and the fact that a tool called JailBreak is often installed on the same computer, which is used to export items from the Windows Certificate Store. The file "sstore2K.exe" should be searched for if you are looking for recent CoreFlood infections. Their main article, which they call "CoreFlood.dr" was "recently updated to Low-Profile due to media attention", they say, referring to a PCWorld article from July 2nd on the trojan.

Symantec, like McAfee until last week, has considered Coreflood to be a "Risk Level 1: Very Low" according to their Main Coreflood article. They rate its number of infections as being "More than 1000" at a number of sites "More than 10", in the article which was posted in 2002, with updates as recently as June 20, 2008. They describe the trojan as being "primarily designed to conduct Denial of Service (DoS) attacks", which was certainly what everyone believed until Stewart's revelation.

Symantec also has a detection for webpages that try to infect visitors with Coreflood, which has been the main path of infection since at least 2003, when the exploit described in Microsoft Security Bulleting MS03-032 were used to do "drive-by" attacks on webpage visitors.

A search at Sophos finds A 2003 article on CoreFloo-C, where it describes the earlier IRC-controlled trojan, as well as a 2004 article on CoreFloo-D. They make it all the way through the alphabet several times with this one, with Afcore AJ being in August 2004. The current version seems to be named "CoreFlo", such as Troj/CoreFlo-P in January 2007, which they alias as "", and CoreFlood.dll, and Backdoor.Coreflood.

Speaking of through the alphabet, F-Secure has enough version of "Backdoor.Win32.Afcore" that they were on version "di", according to their July 13th version of their anti-virus signatures. Here's a description from Version Q, in 2003, which seems to be the last time this virus deserved its own article.

Good luck, Virus Hunters! I hope this article will help you move from "concerned" to "informed"!


No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.