Slashdot Mirror
A Look At the CoreFlood Botnet
CNet is running a story about research from security expert Joe Stewart into the CoreFlood botnet, which has harvested at least "50 gigabytes of compressed data, searchable in a MySQL database," from a group of over 370,000 bot IDs. Stewart explains how the botnet operates and some of the things he's learned about the group that operates it.
"Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say by a keylogging application. The CoreFlood script will then capture the HTML data on the post long-in page. In most cases, that page also contains the account's bank balance. They do that, he said, so that after running the test they have a picture of what are the highest dollar amounts. 'I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account. We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first,' he said."
One-time-password generators protect against replay attacks, but they do not protect against modified transactions. If an attacker has root on your system, then he can simply escalate the keylogging attack to a live modification of the transaction data.
A better approach would be to use a class 3 card terminal. That's a small computer with a strictly defined purpose and specification (and therefore tremendously easier to secure). It has a display so that you can see the transaction that you authorize, without interference from software on a compromised PC, and it has a keypad so that you can enter the PIN and confirmation, without software on a compromised PC being able to capture any of it. These devices exist. The only reason they're not being used must be that the problem is currently not big enough to justify the cost of giving every customer a card terminal.
Umm, no. Playing Civilization on computer can be fun even if you are not inclined being a dictator or conqueror.
Anytime I read "it could happen to anybody" in a security article, I am always skeptical. I think "it could happen to any *average* computer user/net surfer" is a better adage.
Most here assembled, though not 100 percent immune, are far less susceptible than an "average" user to any sort of malware infection.
Ignorance is curable, stupid is forever.
You would either have to be a hopeless moralist or simply dull around the edges to not fun such an idea fun/interesting. Interest in criminal ideas no more makes you a criminal than interest in horror movies makes you a masochist, or someone harboring murderous intent. What a naive comment.
I think the Atlantic Ocean does not help too much protecting the US from Internet fraud.
Uh, RTFA - you are under constant attack from Eastern European criminal organizations.
Watch this Heartland Institute video
Yes, but to do this properly would generally require someone to have access to the internal programming of the banking system. Making 1 cent transactions might be possible, but they will certainly show up and be more noticeable than if 1 cent just disappeared from the balance. If your account has 200 transactions a month and carries a balance over $20000, you're only going to try to balance that so many times before you give up trying to find the penny. Heck, you could lose a dollar or two at that rate and likely get away with it. But the importance of this method is that the actual transaction doesn't show up.
Then again... if you could find a way to disguise the transaction as a fee, it would likely get overlooked as well. :)
-Restil
Play with my webcams and lights here