Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Look At the CoreFlood Botnet

Posted by Soulskill on from the from-russia-with-love dept.

CNet is running a story about research from security expert Joe Stewart into the CoreFlood botnet, which has harvested at least "50 gigabytes of compressed data, searchable in a MySQL database," from a group of over 370,000 bot IDs. Stewart explains how the botnet operates and some of the things he's learned about the group that operates it. "Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say by a keylogging application. The CoreFlood script will then capture the HTML data on the post long-in page. In most cases, that page also contains the account's bank balance. They do that, he said, so that after running the test they have a picture of what are the highest dollar amounts. 'I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account. We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first,' he said."

6 of 120 comments (clear)

  1. Useful information... by Anonymous Coward · · Score: 5, Funny

    Botnets need to start logging something useful.

    Like slashdot accounts with moderator points.

  2. Re:Key Generator by Anonymous Coward · · Score: 5, Informative

    Not only do I use one of those for logging in, but any financial transaction has to be signed with the pad.

    For the bank where I have my loans, I have an SSL certificate and signature to confirm my identity.
    That same certificate is tied to my national identity card, meaning I can use it for a lot of other things as well.

    All in all, I can't understand why the US is so far behind when it comes to online banking.
    I mean, I've had this for eight years now, and it'sbeen around longer.

    Much love from Sweden ;)

  3. Baby steps to the solution by Anonymous Coward · · Score: 5, Insightful

    One-time-password generators protect against replay attacks, but they do not protect against modified transactions. If an attacker has root on your system, then he can simply escalate the keylogging attack to a live modification of the transaction data.

    A better approach would be to use a class 3 card terminal. That's a small computer with a strictly defined purpose and specification (and therefore tremendously easier to secure). It has a display so that you can see the transaction that you authorize, without interference from software on a compromised PC, and it has a keypad so that you can enter the PIN and confirmation, without software on a compromised PC being able to capture any of it. These devices exist. The only reason they're not being used must be that the problem is currently not big enough to justify the cost of giving every customer a card terminal.

  4. Re:Key Generator by shungi · · Score: 5, Interesting

    A good solution is to send a text message containing a code to your mobile phone every time you make a transaction (or perhaps group of transactions). You then have to punch the code into the website.

  5. Re:Key Generator by Uber+Banker · · Score: 5, Interesting

    When I was opening my first bank account (independently opening, back in 1995) I wrote a similar response on the form to Mother's Maiden Name as you stated above - a little more secure. Only to have the bank call my home to tell me that could not be a maiden name, please state her maiden name. Either HSBC or Natwest, I forget now which. 1995. I hope awareness over security has increased.

  6. Target biggest first? by andyh-rayleigh · · Score: 5, Interesting

    "The only reason (the script) can see that data is to target the biggest accounts first,' he said."

    That depends on the objective and tactics of the attacker:
    Although the obvious assumption is that the attacker wishes to gain as much money as possible with a minimal chance of being caught, it may be that (s)he is less greedy and/or more cautious.

    Suppose that your target is a total of, say, $200K rather than the assumed multi-millions. You are far less likely to be caught or to trigger money-laundering precautions. In a case like this your best strategy might well be to go for above-average but not top 10% balances.

    Similarly, if you ARE going for the maximum while still hoping your chance of being caught is low, it may well be worth steering clear of the very highest balances as they could be more closely monitored (and some of them are probably "honeypots").