Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Look At the CoreFlood Botnet

Posted by Soulskill on from the from-russia-with-love dept.

CNet is running a story about research from security expert Joe Stewart into the CoreFlood botnet, which has harvested at least "50 gigabytes of compressed data, searchable in a MySQL database," from a group of over 370,000 bot IDs. Stewart explains how the botnet operates and some of the things he's learned about the group that operates it. "Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say by a keylogging application. The CoreFlood script will then capture the HTML data on the post long-in page. In most cases, that page also contains the account's bank balance. They do that, he said, so that after running the test they have a picture of what are the highest dollar amounts. 'I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account. We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first,' he said."

13 of 120 comments (clear)

  1. Key Generator by FriendlyLurker · · Score: 4, Interesting

    My Bank (HSBC) gives me a little keychain keygenerator that spits out a 6 digit number when I press the button. All logins must also have the key number... I wonder if this simple measure would stop dead any keylogger attacks like this, OR with enough reasonable time monitoring they could reverse engineer the generator's seeds?

    1. Re:Key Generator by shungi · · Score: 5, Interesting

      A good solution is to send a text message containing a code to your mobile phone every time you make a transaction (or perhaps group of transactions). You then have to punch the code into the website.

    2. Re:Key Generator by Uber+Banker · · Score: 5, Interesting

      When I was opening my first bank account (independently opening, back in 1995) I wrote a similar response on the form to Mother's Maiden Name as you stated above - a little more secure. Only to have the bank call my home to tell me that could not be a maiden name, please state her maiden name. Either HSBC or Natwest, I forget now which. 1995. I hope awareness over security has increased.

    3. Re:Key Generator by sam0737 · · Score: 2, Interesting

      Well...talking about Mothers maiden name: in one of the bank in China, their online banking software requires me to pick 5 questions to answer from 3 groups, at least one from each. The group are:
      Name of family member: brothers, sisters, parents, children, uncle/aunt or grand parents.
      Name of teachers: The class master, or language class teacher, or math teacher of elementary, middle, or high school.
      Date of birth of the family member.

      Then next time when you do sensitive process (change password / change the questions), it randomly choose one question and ask you.
      Or when you call the custom center, it won't ask you password but instead ask you 3 of these questions.

      Well, not sure if it's a good system or not. But at least give me a mind of safe.

    4. Re:Key Generator by dkf · · Score: 2, Interesting

      The problem is that the carriers are unreliable in timing of delivery even w/o grid problems. So many times I have got text messages and even voice mail hours after it was delivered.

      I've had it take 9 months. Admittedly I wasn't in my home country at the time the SMS was sent.

      --
      "Little does he know, but there is no 'I' in 'Idiot'!"
    5. Re:Key Generator by tehniobium · · Score: 3, Interesting

      Sounds exactly like what I have in Denmark... Actually, only people who DONT use IE get the pad in my bank...:D. IE users get an activeX plugin. Yay for the worlds least secure browser.

      --
      No kitty, this is my pot pie!
    6. Re:Key Generator by caluml · · Score: 2, Interesting

      I mentioned this above, but I wanted such a system for myself, so I wrote one that runs on Java enabled phones. mobfob.calum.org. Works well enough. The cryptographic hashing is just an MD5 sum, but if you don't know the key, you can't predict the hash. I just want to find someone who can write a PAM module so that it can be hooked into SSH, /bin/login, etc.

      --
      Get your own free personal location tracker
  2. Re:Criminal by Timesprout · · Score: 4, Interesting

    You must be criminally inclined if you think setting up a system to steal from others would be fun.

    --
    Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
    What truth?
    There is no dupe
  3. Re:Online banking? Sign me up!!!! by purpledinoz · · Score: 3, Interesting

    In Germany, any money transaction requires you to enter something called an iTAN number. These number are mailed to you, so even if some hacker was able to gain access to your account online, no transfers can be made because they won't have the iTAN numbers. Unless you're dumb enough to scan these numbers and store them in your computer. It's a little bit of a pain in the ass, but after reading this article, I'm glad that this system exists.

  4. Re:Criminal by sammyF70 · · Score: 2, Interesting

    Maybe just technically interested. Writing and setting up a botnet like this one withing the limitations inherent to something that's illegal sounds like an interesting challenge.

    --
    "DRM is like the Ford Pinto: it's a smooth ride, right up the point at which it explodes and ruins your day."-C.Doctorow
  5. Re:Baby steps to the solution by Yetihehe · · Score: 3, Interesting

    Or, like in my bank, they send me authorization code with sms, stating which operation is it and how much is it and account number to which money goes. It's much cheaper.

    --
    Extreme Programming - Redundant Array of Inexpensive Developers
  6. this is a god way to do it. by Anonymous Coward · · Score: 1, Interesting

    My bank (SEB Sweden) use a token from vasco,

    Login works like this,
    username: birthdate+personalnumber (something like social security number)
    passwd: code generated by 2 numbers from the webpage punched into the token

    when you are done and want to make you transaction i punch in 1 number from the webpage and the amount of the transfer, and get a number back to sign the transaction.

    I believe this is pretty secure since you aprove that amount to be transfered and the amount is in the code i sign the transfer with. so its pretty hard to change amount and accounts that will receive the transfer.

  7. Target biggest first? by andyh-rayleigh · · Score: 5, Interesting

    "The only reason (the script) can see that data is to target the biggest accounts first,' he said."

    That depends on the objective and tactics of the attacker:
    Although the obvious assumption is that the attacker wishes to gain as much money as possible with a minimal chance of being caught, it may be that (s)he is less greedy and/or more cautious.

    Suppose that your target is a total of, say, $200K rather than the assumed multi-millions. You are far less likely to be caught or to trigger money-laundering precautions. In a case like this your best strategy might well be to go for above-average but not top 10% balances.

    Similarly, if you ARE going for the maximum while still hoping your chance of being caught is low, it may well be worth steering clear of the very highest balances as they could be more closely monitored (and some of them are probably "honeypots").