Malicious Botnet Stole Bank, Credit Union Credentials

August 6, 2008 – 2:02 PM

The researcher who first discovered a motherlode of stolen enterprise user names and passwords in June has found that nearly 9,000 of them are bank and credit-card account credentials from around the world that were grabbed by an old but crafty botnet. And it turns out the initial 50 gigabytes’ worth of data that included 463,582 passwords on the crime server is only about one-fourth of the total number of accounts stolen by the so-called Coreflood botnet. (See Researchers Raise Alarm Over New Iteration of Coreflood Botnet and SecureWorks Finds Massive Cache of Stolen Data.)

Coreflood is an unusual botnet in that it’s closely held by its operators, who use the data themselves rather than sell it like other botnets do, and also use their own Trojan malware for the botnet. Joe Stewart, director of malware research for SecureWorks, today revealed in a new report some key details of the type and amount of data stored on the crimeware server, which has since relocated to Russia after being shut down in Wisconsin, he says.

Stewart said he has been able to discern how the command and control server was configured, as well as glean clues of the identities of the bad guys behind Coreflood: he says he believes they are directly connected to the Joe Lopez case of 2004, where Miami businessman sued his bank after his account was compromised by the Coreflood Trojan.

“Coreflood is trying to steal financial information, and has stayed under the radar pretty well. It’s not in-your-face sending out emails,” Stewart says.

Stewart says 50 gigabytes of stolen user data were left behind on the crime server he first discovered, but about four times that amount of additional stolen data had been harvested and deleted, according to some new investigation he did via scripts the bad guys left on the server. He says Coreflood stole a gigabyte or more of data each day from all the users combined and also lifted PKI certificates and cookie files.


You must be logged in to post a comment.