Saturday, April 16, 2011

Kenneth Keller Kills Coreflood Botnet

As of Wednesday, Coreflood, a botnet that's been around for some time, has been shut down by the FBI (by declaration from Special Agent Kenneth Keller), who charges that wire fraud, band fraud and unauthorized interception of electronic communications were committed by the owners.

This botnet consisted of 2,336,542 individual machines or bots (most in the US) and was controlled by two botnet controllers. The hosts at and were Coreflood Command and Control servers for the botnet at the time of the investigation. All infrected machines essentially reported to these servers.

The Facts
Coreflood infected machines running Windows OS.
The Coreflood botnet communicated primarily by domain name, rather than IP address, so command and control servers could be fluid and be moved frequently.
The IP addresses of the command and control servers mentioned previously correspond to "" and ""
Supporting reference can be found here.
Infected computers in the botnet logged keystrokes and various communications, sending online banking information to the command and control servers, where the data was stored to be reviewed later.
The later information would be used to wire money from bank accounts

There's No Place Like Home
According to a Seizure Warrant, DNS providers of the Coreflood domains were ordered to lock any account associated with the domain in question to prevent changes or deletions of information. In addition, the DNS servers of said domains are to be set to return an IP of when queried.

Coreflood Domains associate with the botnet include:

Regular virus scans with up to date definations would be a good step towards mitigating this issue. Programs like Malwarebytes and SPybot Search and Destroy are a good companion to your anti-virus software.

Of course, vigilence on the part of the computer user is also vital. Know what services and processes are supposed to be running on your system and monitor for anything suspicious.

No comments:

Post a Comment