The Coreflood Report

Date: August 6, 2008
Author: Joe Stewart, Director of Malware Research, SecureWorks

Introduction

In 2003, we analyzed a trojan named "Autoproxy", which was designed to create a botnet of proxy machines for purposes of online anonymity for criminals. We later found that this trojan was related to an older trojan known as Coreflood, or AFcore. This was an IRC trojan that had been around since at least 2002. By 2004, Autoproxy had been rolled into the Coreflood codebase, and the trojan ceased using IRC as a control mechanism, and moved to HTTP. Around the same time, the trojan began to be used to steal data from infected users, leading to a high-profile case where over $90,000 was taken from one individual's bank account.

The victim was Joe Lopez, a Miami businessman, who according to press reports ran a small printer ink and toner business called Ahlo Inc. in Miami. Lopez regularly used wire transfers both to send and receive money from business contacts in US and Latin America. On April 6, 2004, an unauthorized wire transfer of $90,348 was made to Parex Bank in Riga, Latvia. Around $20,000 was withdrawn before the account was frozen and the US Secret Service began investigating. A forensic investigation was done of the PC used by Lopez and his business, and it was discovered to be infected by the Coreflood Trojan. Joe Lopez filed suit against his bank, alleging that the bank was negligent in failing to protect his account from compromise through known risks. The case is thought to be the first time a customer has sued a bank over cybercrime losses in the US. [1].

We feel that the same group behind the Lopez heist is also behind the current attacks, as the Coreflood Trojan is not sold on any underground hacker forums, and we have never seen it used by any other group other than the Russian group we have been investigating. As you read further into the report, you will begin to see why the Coreflood Trojan and the hackers behind it have eluded detection.

Coreflood has managed to stay under the radar pretty effectively since 2004, with very few details available online about its activity in that time. In 2008, we came across a new sample of Coreflood, and decided to revisit the botnet and find out what has been happening in the past four years. By getting access to a Coreflood command-and-controller server that was shut down due to efforts by myself and Spamhaus, we learned a great deal of information, some of which has been detailed in previous reports such as the initial report [2] released on June 30, 2008, the followup report [3] on July 15, 2008, and a blog entry on July 10, 2008. The rest is detailed in this report.

Some highlights:

Approximately 463,582 usernames and passwords to more than 35,000 domains were stolen. In addition, the trojan steals not only what users send to remote websites, but also the content of those sites (e.g. intranet pages, webmail). The logins include:

Bank Account and Credit Union Usernames and Passwords---8,485
These 8,485 passwords are for banks and credit unions in the US and overseas. Of the 29 banks, 12 are foreign banks and the rest are based out of the US. The majority of them are banks and not credit unions.

Credit card usernames and passwords---3,233

Email Accounts---151,000

Social Networking Sites--58,391

Online Retailers---4,237

Stock Trading Accounts---416

Online payment processors---869

Mortgage Lenders---413

Finance Companies –422

Payroll Processors---553

The controller I gained access to, with the domain names mcupdate.org and mcupdate.net, had been in continuous operation since 2005. It is still in operation even today, on another server, only interrupted for a few days.
50 gigabytes of data stolen from infected users was left behind on the machine, most of it compressed. This was from a 6-month time period. As much as 4 times that amount had been previously harvested and deleted, according to scripts left behind by the Coreflood gang.
The botnet often stole a gigabyte or more of data (uncompressed) per day from all users combined.
PKI certificates (used by some online financial institutions) and cookies files were also stolen from infected users.
Coreflood managed to severely impact some organizations through the use of Windows domain administrator credentials – in some cases thousands of computers on corporate and government networks were infected. See sample list at end of report.
The criminals behind Coreflood frequently used the command-and-control server as a base of operations to automate validity/balance checking of bank accounts they stole. As a result, I was able to see exactly how they operate and on average how much money they have access to.

Crimeserver Autopsy

The mcupdate.net server ran Linux, specifically Fedora Core release 3. Three user logins had been added since install, "closer", "mysql", and "ghost". The mysql user was created at the time the MySQL database was installed. This is the database used by the botnet to track infected users. The closer login was initially used, and then the ghost login was created to run the botnet server software. The bulk of the evidence of the botnet's activity can be found in /home/ghost, but there are other directories that contained some interesting data.

/home/ghost

In this directory was source code to the botnet controller, samples of different binary builds of the bot, tools for working with the stolen data, scripts and binaries accessed by the bots via the apache server, and a "logs" directory containing the stolen data that was uploaded. One interesting directory, "msof3", dated only a couple of weeks before we took the server offline, contained a Microsoft PowerPoint exploit, indicating the Coreflood group may have been interested in pursuing targeted attacks similar to those used by Chinese and Romanian hacking groups in recent months.

In the source code to the bot controller, a couple of interesting comments were found. At the top of the file, the date "Thu 06 Mar 2008 03:41:00 EET", indicating the Eastern European time zone, and above one subroutine, the cryptic comment "add by [redacted]", possibly indicating the first initial of the person making the changes.

/root

Many interesting things were found under this directory:

Copies of various bank websites
A web exploit kit
A scanned archive of a 50-page criminal complaint against a group of Russian DDoS criminals, from 2006.
Source code to a previous version of Coreflood, circa-2005. Some error messages contain the name "[redacted]."
A subdirectory named "myc", containing browser cookie files from a user named "[redacted]." Some interesting sites found inside it include several banks, Russian money transfer sites, and an underground fraud site.

/work

In this directory were numerous subdirectories left over from checking account validity. Inside each directory is a Perl script with the name proga_r6[0-1][bankname].pl, along with configuration files, lists of bank logins and passwords, lists of proxy servers, output logs and copies of the post-login webpages. The proga_r6* program automates the process of logging into online banking or other accounts through proxy servers. In many cases, it is apparent that the proxy server list is compiled of machines in the home country of the bank, in order to avoid tripping fraud detection systems on the banking site. The dates at the top of the file indicate this particular fraud testing script has been in development since 2001. Interestingly, one comment found in the proga_r6* files was "!!!CHANGED BY [redacted]."

In one proga_r6* subdirectory, 740 stolen accounts were found in the configuration files. The fraudsters tested 79 accounts, all of which returned a post-login page containing the account balances. In one case, a user had over $147,000 in their savings account at the time the script ran. The average account balance for the tested accounts was $4553.74 for savings and $2096.31 for checking, giving the hackers access to $281,415. Assuming that the averages hold for all 740 accounts, it means the group behind Coreflood could have access to over 2.5 million dollars in a single financial institution. In all likelihood however, the amount of time needed to transfer and launder money from that many accounts is prohibitive, which may explain why only 79 accounts were tested at the time. There is no evidence on the server suggesting the actual money transfers are automated, so it stands to reason that the fraudsters are looking for larger accounts to clean out (as was the case in the Joe Lopez theft).

/home/ghost/logs

This is the primary storage area for the current and archived binary Coreflood logs. Logs are encrypted and compressed, and are replayed using a binary found in /home/ghost, called "playlog". Current logs are stored under the names _ie, _other, _input, and _panic. At certain times, the criminals will archive these directories to sequentially numbered copies (e.g. _ie1, _ie2, _ie3), and will then zip the entire directory, copying the resulting zip archive to /var/www for HTTP download. At the time the server was taken offline, they had archived up to _ie24 and _other24. The directory _panic is not stolen data per se, it is logs of crashes of the trojan, for code debugging purposes. The directory _input is used for keystroke logs, but no actual keystroke logs were taken in the last session, and the files are devoid of any user data.