Forum latest

Researchers Raise Alarm Over New Iteration of Coreflood Botnet
General
Written by Daniel   
Thursday, 24 July 2008 10:38
Password-stealing Trojan is spreading like a worm – and targeted directly at the enterprise

JULY 23, 2008 | 6:00 PM
By Tim Wilson
Site Editor, Dark Reading

The seven-year-old Coreflood botnet is quietly stealing thousands of passwords from corporate users and other large organizations, thanks to recent enhancements that allow it to spread like a worm, researchers say.

The enhancements were revealed June 30 by botnet expert Joe Stewart, director of malware research at SecureWorks. Stewart traced the botnet to a single command and control server that held more than 400,000 user IDs, passwords, and other information. (See SecureWorks Finds Massive Cache of Stolen Data.)

Since then, other researchers have had an opportunity to evaluate Stewart's findings, and they don't like what they see. In a nutshell, Coreflood has combined its old ability to deliver a password-stealing Trojan with a new ability to infect whole Windows domains in a matter of hours.

"This is potentially way more malicious than Storm, because it is collecting passwords -- rather than just sending out spam or denying service -- and because the user doesn't have to click on a link or do anything at all in order to be infected," says David Jevans, CEO of security vendor IronKey and chairman of the Anti-Phishing Working Group.

Coreflood, which started out as a simple Trojan in late 2001, has been reiterated more than 100 times during its long lifespan. But with the enhancements, the Trojan now has the ability to infect Windows administrators' machines and then use their privileges to infect all of the other machines in the administrator's domain.

"We've literally seen situations where there was only one machine infected, and within a few hours, 30,000 other machines on the same network were also infected," Jevans says. "And these aren't random infections -- if it gets through to one administrator's machine, then all of the devices in his domain will be infected."   [Dark Reading...]   [Comments...]
 

See also

None found.


Hardware | Windows | Linux | Security | Mobile Devices | Gaming
Tech Business | Editorial | General News | folding@home

Forum | Download Files

Copyright ©2001 - 2012, AOA Forums.  All rights reserved.

Alliance of Overclocking Arts

Links monetized by VigLink

Don't Click Here Don't Click Here Either