500G of data captured by single botnet

Featured eBooks
A New Era of Social Media Regulation
Making AI Work for Government
Strengthening State and Local Cyber Defenses
Insights & Reports
Short-term rentals and state legislation for local governments
Presented By Granicus
Download Now
The State of AI-powered Business Transformation in Government
Presented By ServiceNow
Download Now
By William Jackson
 

Connecting state and local government leaders

By William Jackson

|

Long-lived CorelFlood Trojan sweeps up data from more than 225,000 online accounts.

The Coreflood Trojan responsible for the infections has been around in one form or another since 2002, said Joe Stewart, director of malware research for SecureWorks Inc. The botnet is being used by a Russian crime group on whose command and control server Stewart found the stolen information. The data, which amounts to nearly 500 gigabytes, represents only six months of operations.'They had erased the previous directories, probably because they didn't have room to keep it,' Stewart said.He estimated the group has stolen four times that amount of data, giving them access to accounts worth millions.Stewart shared some of his research on Coreflood Wednesday at the Black Hat Briefings security conference. Because the Trojan has been circulating largely under the radar and spreads throughout an organization using a network administrator's privileges, it can be particularly insidious, he said.'In the case of Coreflood, you've got people infected who didn't do anything wrong,' such as visiting suspect Web sites, letting their antivirus lapse or other unsafe computing practices. Because of this, it can take some expertise in IT security to be confident you are not infected. That has implications for the growing online economy. 'If you're not an expert, you probably shouldn't be online doing financial transactions,' he said. 'I am very worried about anybody using Windows and banking online.'The Trojan apparently has been around since 2002, when it was being used for distributed denial of service attacks. It has since evolved to selling anonymity services and to full-fledged back fraud. Computers are infected through a browser exploit using ActiveX controls, and the Coreflood installer is then downloaded. Once a computer in an organization has been infected, the Trojan can wait until an administrator logs on to that computer, then gains the administrator's privileges to spread to the rest of the computers in the network.Coreflood is not an unknown Trojan and antivirus engines routinely update their signatures for it, as with other forms of malware in the wild. But it has not gained a lot of notoriety because its handlers apparently are not offering the exploit or their data on the open market. When Stewart stumbled on the database of stolen data on the command and control server, he found records of more than 378,000 bot IDs covering 16 months. The average lifespan for a Coreflood bot is 66 days.The hackers cull through the information slowly.'It is likely they are looking for the larger accounts,' Stewart said. He found a group of 740 accounts for one bank, of which the hackers had managed to examine just 79. They ran log-in scripts on those accounts, which often replied with account balances. The 79 accounts had total balances of $281,000. The average size of each account was about $4,500 for a savings account and $2,000 for checking, but the largest account was $147,000.They have been taking money out, Stewart said; in one case as much as $100,000. But the compromises can go unnoticed for a long time because of the sheer volume of data the criminals must go through.'You may not see any activity on an account for months,' he said. 'They just don't have the time to go through it all.'The obvious question is, with all of this information available, why is Coreflood still out there?'I wonder myself sometimes how they stay in business,' Stewart said. The original command and control server was shut down by the service provider after it was discovered, but it was moved to a different server and is back in business. United States law enforcement agencies do not have the clout needed to prosecute the Russian criminals, he said.'The relationships are not as good as they need to be to have effective action taken,' he said. 'The people in law enforcement tell me that to get anything done, they have to go through diplomatic channels,' which can take years. 'There has to be political pressure brought to bear. It has to be a priority.'So far this has not happened, but, 'we think there might be a better chance of getting these guys because of who they have infected,' Stewart said. Among those compromised organizations with records found by Stewart was a state police department.

LAS VEGAS'A cache of stolen data gathered from a botnet that has been quietly sweeping up information for years contained the user names and passwords for:


  • 8,485 bank accounts,
  • 3,233 credit card accounts,
  • 151,000 e-mail accounts,
  • 58,391 social networking site accounts,
  • 4,237 online retailer accounts,
  • 416 stock trading accounts,
  • 869 payment processor accounts,
  • 413 mortgage accounts, and
  • 422 finance company accounts.






























NEXT STORY: Also in the news: Cisco routers on Black Hat agenda

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.