At the Black Hat conference last week, Joe Stewart of security firm SecureWorks reported on shutting down the main server for Coreflood, a criminal network that grew from a Trojan to become a massive repository of stolen data.
Coreflood was really noticed in 2004, when hackers infected a company with a Trojan and stole money from a US company. After that, however, it appeared to go underground. But earlier this year SecureWorks and Spamhaus shut down one of its servers and discovered 50 GB of stolen data – although SecureWorks says more than four times this amount had been previously harvested and discarded. The data included 3,233 credit card usernames and passwords, 8,485 bank and credit union usernames and passwords – all in all, a total of just under half a million usernames and passwords to over 35,000 domains.
How did they do it? By being slow and careful. After infecting one machine in a network they’d continue through the network until reaching a computer with administrative access, then use that to ensure infection of the entire network.
The good news is that the server was shut down. The bad news? The botnet it created remains active – everything has simply moved to Russia, and there may be more activity coming according to Stewart, who noted that one directory, created “a couple of weeks before we took the server offline, contained a Microsoft PowerPoint exploit, indicating the Coreflood group may have been interested in pursuing targeted attacks similar to those used by Chinese and Romanian hacking groups in recent months.”