A Look At the CoreFlood Botnet

← Back to Stories (view on slashdot.org)

A Look At the CoreFlood Botnet

Posted by Soulskill on Friday November 7, 2008 @10:03PM from the from-russia-with-love dept.

CNet is running a story about research from security expert Joe Stewart into the CoreFlood botnet, which has harvested at least "50 gigabytes of compressed data, searchable in a MySQL database," from a group of over 370,000 bot IDs. Stewart explains how the botnet operates and some of the things he's learned about the group that operates it. "Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say by a keylogging application. The CoreFlood script will then capture the HTML data on the post long-in page. In most cases, that page also contains the account's bank balance. They do that, he said, so that after running the test they have a picture of what are the highest dollar amounts. 'I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account. We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first,' he said."

40 of 120 comments (clear)

Min score:

Reason:

Sort:

Key Generator by FriendlyLurker · 2008-11-07 22:09 · Score: 4, Interesting

My Bank (HSBC) gives me a little keychain keygenerator that spits out a 6 digit number when I press the button. All logins must also have the key number... I wonder if this simple measure would stop dead any keylogger attacks like this, OR with enough reasonable time monitoring they could reverse engineer the generator's seeds?
1. Re:Key Generator by Entropy98 · 2008-11-07 22:14 · Score: 2, Informative
  
  I'd like something like that. My bank said if someone gets access to my account I'm screwed. All I have protecting me is having to answer 1 of 3 questions. Mother's maiden name, etc.
  --
  IP Finding
2. Re:Key Generator by Anonymous Coward · 2008-11-07 22:25 · Score: 5, Informative
  
  Not only do I use one of those for logging in, but any financial transaction has to be signed with the pad.
  For the bank where I have my loans, I have an SSL certificate and signature to confirm my identity.
  That same certificate is tied to my national identity card, meaning I can use it for a lot of other things as well.
  All in all, I can't understand why the US is so far behind when it comes to online banking.
  I mean, I've had this for eight years now, and it'sbeen around longer.
  Much love from Sweden ;)
3. Re:Key Generator by shungi · 2008-11-07 22:42 · Score: 5, Interesting
  
  A good solution is to send a text message containing a code to your mobile phone every time you make a transaction (or perhaps group of transactions). You then have to punch the code into the website.
4. Re:Key Generator by MrMr · 2008-11-07 22:44 · Score: 4, Informative
  
  That can be effective, just make sure the answers are not correct in a naive way. For instance Mothers maiden name= FE31BB076800267D0BA etc...
5. Re:Key Generator by drspliff · 2008-11-07 23:03 · Score: 2, Informative
  
  This solution already exists in the form of one-time security codes like the RSA SecurID range of products.
  Basically it's a PRNG which spits out a number every few minutes which is unique to the customer.
6. Re:Key Generator by mapkinase · 2008-11-07 23:19 · Score: 2, Informative
  
  The problem is that the carriers are unreliable in timing of delivery even w/o grid problems. So many times I have got text messages and even voice mail hours after it was delivered.
  PS. I am with Verison Wireless
  
  --
  I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
7. Re:Key Generator by Uber+Banker · 2008-11-07 23:20 · Score: 5, Interesting
  
  When I was opening my first bank account (independently opening, back in 1995) I wrote a similar response on the form to Mother's Maiden Name as you stated above - a little more secure. Only to have the bank call my home to tell me that could not be a maiden name, please state her maiden name. Either HSBC or Natwest, I forget now which. 1995. I hope awareness over security has increased.
8. Re:Key Generator by sam0737 · 2008-11-07 23:31 · Score: 2, Informative
  
  Most China payment gateway (for processing online Credit/Debit cards transaction) do this. You need type the one time password from the text message sent to the registered phone.
  Generally I hate this a lot unless they offer an alternative: Think when you are traveling, which I do a lot. Luckily, the payment gateway is only used to authorize China's website online transaction, but not every other online credit card transactions so I am not seriously affected (yet).
9. Re:Key Generator by sam0737 · 2008-11-07 23:43 · Score: 2, Interesting
  
  Well...talking about Mothers maiden name: in one of the bank in China, their online banking software requires me to pick 5 questions to answer from 3 groups, at least one from each. The group are:
  Name of family member: brothers, sisters, parents, children, uncle/aunt or grand parents.
  Name of teachers: The class master, or language class teacher, or math teacher of elementary, middle, or high school.
  Date of birth of the family member.
  Then next time when you do sensitive process (change password / change the questions), it randomly choose one question and ask you.
  Or when you call the custom center, it won't ask you password but instead ask you 3 of these questions.
  Well, not sure if it's a good system or not. But at least give me a mind of safe.
10. Re:Key Generator by dkf · 2008-11-07 23:48 · Score: 2, Interesting
  
  The problem is that the carriers are unreliable in timing of delivery even w/o grid problems. So many times I have got text messages and even voice mail hours after it was delivered.
  I've had it take 9 months. Admittedly I wasn't in my home country at the time the SMS was sent.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
11. Re:Key Generator by Missing_dc · 2008-11-08 00:05 · Score: 2, Funny
  
  wow, I hope that wasn't for paying a bill, you might find your house foreclosed when you get back.
  
  --
  How amazed would you be to suddenly find that you just forgot what I wrote and you needed to reread my post.... again.
12. Re:Key Generator by Anonymous Coward · 2008-11-08 00:06 · Score: 2, Funny
  
  Hmmm...lowish /. ID, mother's maiden name strange, ALIEN! Run!!!!!
13. Re:Key Generator by tehniobium · 2008-11-08 00:24 · Score: 3, Interesting
  
  Sounds exactly like what I have in Denmark... Actually, only people who DONT use IE get the pad in my bank...:D. IE users get an activeX plugin. Yay for the worlds least secure browser.
  
  --
  No kitty, this is my pot pie!
14. Re:Key Generator by caluml · 2008-11-08 00:41 · Score: 2, Interesting
  
  I mentioned this above, but I wanted such a system for myself, so I wrote one that runs on Java enabled phones. mobfob.calum.org. Works well enough. The cryptographic hashing is just an MD5 sum, but if you don't know the key, you can't predict the hash. I just want to find someone who can write a PAM module so that it can be hooked into SSH, /bin/login, etc.
  
  --
  Get your own free personal location tracker
15. Re:Key Generator by kwark · 2008-11-08 01:32 · Score: 3, Informative
  
  Why create your own if instead you could use the decades old s/key (http://tools.ietf.org/rfc/rfc1760.txt)
  You distro might have this in packages called opie. Debian packages:
  opie-client - OPIE programs for generating OTPs on client machines
  opie-server - OPIE programs for maintaining an OTP key file
  libpam-opie - Use OTPs for PAM authentication
  Java implementations can be found eg: http://math.berkeley.edu/~vojta/opiekey.html
16. Re:Key Generator by sam0737 · 2008-11-08 01:42 · Score: 2, Informative
  
  Well one thing that I didn't mention, to login into the banking system in a first place, before any of operations can be carried out, you need a digital certificate (and ordinary password and username).
  It could either be a USB thumbdrive hardware form issued from the bank, or an imported PFX file.
17. Re:Key Generator by sharperguy · 2008-11-08 02:32 · Score: 2, Funny
  
  My mother is called FE31BB076800267D0BA you insensitive clod!
  
  --
  "sudo rm -rf your-face"
18. Re:Key Generator by Anonymous Coward · 2008-11-08 03:19 · Score: 2, Insightful
  
  I think the Atlantic Ocean does not help too much protecting the US from Internet fraud.
19. Re:Key Generator by Eunuchswear · 2008-11-08 04:56 · Score: 2, Insightful
  
  Because in the US, we're not constantly under attack by Eastern European criminal organizations.
  Uh, RTFA - you are under constant attack from Eastern European criminal organizations.
  
  --
  Watch this Heartland Institute video
20. Re:Key Generator by Ihmhi · 2008-11-08 05:00 · Score: 2, Funny
  
  Ah, memories. Mrs. FE31BB076800267D0BA always did make the best brownies back in the day.
  
  --
  Random Thoughts From A Diseased Mind (Not For Dummies)
Useful information... by Anonymous Coward · 2008-11-07 22:20 · Score: 5, Funny

Botnets need to start logging something useful.
Like slashdot accounts with moderator points.
Re:Criminal by Timesprout · 2008-11-07 22:22 · Score: 4, Interesting

You must be criminally inclined if you think setting up a system to steal from others would be fun.

--
Do not try to read the dupe, thats impossible. Instead, only try to realize the truth
What truth?
There is no dupe
Security Expert Joe Stewart by Anonymous Coward · 2008-11-07 22:23 · Score: 2, Funny

First I thought "so that's what he's going to do without George Bush in the Whitehouse" but then I realized it's Joe the Security Expert, not Jon the Daily Show host.
Baby steps to the solution by Anonymous Coward · 2008-11-07 22:33 · Score: 5, Insightful

One-time-password generators protect against replay attacks, but they do not protect against modified transactions. If an attacker has root on your system, then he can simply escalate the keylogging attack to a live modification of the transaction data.
A better approach would be to use a class 3 card terminal. That's a small computer with a strictly defined purpose and specification (and therefore tremendously easier to secure). It has a display so that you can see the transaction that you authorize, without interference from software on a compromised PC, and it has a keypad so that you can enter the PIN and confirmation, without software on a compromised PC being able to capture any of it. These devices exist. The only reason they're not being used must be that the problem is currently not big enough to justify the cost of giving every customer a card terminal.
1. Re:Baby steps to the solution by sam0737 · 2008-11-07 23:25 · Score: 2, Funny
  
  Sounds like much harder to build right than a electronic voting machine...
2. Re:Baby steps to the solution by Yetihehe · 2008-11-07 23:36 · Score: 3, Interesting
  
  Or, like in my bank, they send me authorization code with sms, stating which operation is it and how much is it and account number to which money goes. It's much cheaper.
  
  --
  Extreme Programming - Redundant Array of Inexpensive Developers
3. Re:Baby steps to the solution by Anonymous Coward · 2008-11-07 23:51 · Score: 3, Informative
  Several problems with that:
  SMS messages may be delayed
  SMS messages are not encrypted end-to-end
  Cellphones are no more secure than PCs
  The additional security from using two separate devices is lost when you do online banking on your cellphone.
  It's only cheaper if you do relatively few transactions. SMS messages are the most expensive form of data communication there is.
4. Re:Baby steps to the solution by ard · 2008-11-08 03:25 · Score: 2, Informative
  
  > These devices exist. The only reason they're not being used must be that the problem is currently not big enough to justify the cost of giving every customer a card terminal.
  Not being used in the US perhaps... I've had one for several years with Swedbank. They are also used by another major swedish bank, SEB.
  http://www.seb.se/digipass
  http://www.swedbank.se/sst/inf/out/infOutHjalp/0,3769,55142,00.html
5. Re:Baby steps to the solution by Yetihehe · 2008-11-08 04:25 · Score: 2, Informative
  Several problems with that:
  
  SMS messages may be delayed
  
  Never happened to me, typically sms is on my cellphone 3 second after clicking "send" on page.
  
  Cellphones are no more secure than PCs
  
  You can't install keyloggers on most cellphones.
  
  The additional security from using two separate devices is lost when you do online banking on your cellphone.
  
  It's not about two devices. It's about using cellphone instead of separate or no token.
  
  It's only cheaper if you do relatively few transactions. SMS messages are the most expensive form of data communication there is.
  
  Depend's where. Where I live sending sms costs me $0.05, receiving for free. Other carriers often have cheaper sms. For a bank it may be a lot cheaper for mass messaging.
  --
  Extreme Programming - Redundant Array of Inexpensive Developers
Re:Online banking? Sign me up!!!! by nicklott · 2008-11-07 22:38 · Score: 3, Funny

Good god man! Presumably you get around by horse and cart? I mean, that petrol engine is very convenient and all, but think of the risk of explosion...
Re:Online banking? Sign me up!!!! by purpledinoz · 2008-11-07 23:02 · Score: 3, Interesting

In Germany, any money transaction requires you to enter something called an iTAN number. These number are mailed to you, so even if some hacker was able to gain access to your account online, no transfers can be made because they won't have the iTAN numbers. Unless you're dumb enough to scan these numbers and store them in your computer. It's a little bit of a pain in the ass, but after reading this article, I'm glad that this system exists.
Re:Criminal by azgard · 2008-11-07 23:07 · Score: 3, Insightful

Umm, no. Playing Civilization on computer can be fun even if you are not inclined being a dictator or conqueror.
Re:Criminal by sammyF70 · 2008-11-07 23:08 · Score: 2, Interesting

Maybe just technically interested. Writing and setting up a botnet like this one withing the limitations inherent to something that's illegal sounds like an interesting challenge.

--
"DRM is like the Ford Pinto: it's a smooth ride, right up the point at which it explodes and ruins your day."-C.Doctorow
Re:Online banking? Sign me up!!!! by fatphil · 2008-11-07 23:26 · Score: 2, Informative

Likewise in Finland. Single-use random 4-digit ids. We've had them for 15 years or more. (So in the early 90s, Finnish banks were more security conscious than most modern-day US or UK banks.)

--
Also FatPhil on SoylentNews, id 863
I am skeptical by TFGeditor · 2008-11-08 00:33 · Score: 2, Insightful

Anytime I read "it could happen to anybody" in a security article, I am always skeptical. I think "it could happen to any *average* computer user/net surfer" is a better adage.
Most here assembled, though not 100 percent immune, are far less susceptible than an "average" user to any sort of malware infection.

--
Ignorance is curable, stupid is forever.
..as interest in sports makes one an olympian. by osir · 2008-11-08 00:50 · Score: 4, Insightful

You would either have to be a hopeless moralist or simply dull around the edges to not fun such an idea fun/interesting. Interest in criminal ideas no more makes you a criminal than interest in horror movies makes you a masochist, or someone harboring murderous intent. What a naive comment.
Re:Online banking? Sign me up!!!! by cpghost · 2008-11-08 01:21 · Score: 4, Informative

Yes, they are, like any other OTP system. Moreover, some banks also allow you to click in the numbers with a mouse by providing a keypad image. If you feel paranoid about key loggers, just use the mouse. But the real security is, of course, the one-time nature of those numbers.

--
cpghost at Cordula's Web.
Target biggest first? by andyh-rayleigh · 2008-11-08 01:24 · Score: 5, Interesting

"The only reason (the script) can see that data is to target the biggest accounts first,' he said."
That depends on the objective and tactics of the attacker:
Although the obvious assumption is that the attacker wishes to gain as much money as possible with a minimal chance of being caught, it may be that (s)he is less greedy and/or more cautious.
Suppose that your target is a total of, say, $200K rather than the assumed multi-millions. You are far less likely to be caught or to trigger money-laundering precautions. In a case like this your best strategy might well be to go for above-average but not top 10% balances.
Similarly, if you ARE going for the maximum while still hoping your chance of being caught is low, it may well be worth steering clear of the very highest balances as they could be more closely monitored (and some of them are probably "honeypots").
1. Re:Target biggest first? by Restil · 2008-11-08 07:31 · Score: 2, Insightful
  
  Yes, but to do this properly would generally require someone to have access to the internal programming of the banking system. Making 1 cent transactions might be possible, but they will certainly show up and be more noticeable than if 1 cent just disappeared from the balance. If your account has 200 transactions a month and carries a balance over $20000, you're only going to try to balance that so many times before you give up trying to find the penny. Heck, you could lose a dollar or two at that rate and likely get away with it. But the importance of this method is that the actual transaction doesn't show up.
  Then again... if you could find a way to disguise the transaction as a fee, it would likely get overlooked as well. :)
  -Restil
  
  --
  Play with my webcams and lights here