What Is CoreFlood?

By Brian Koerner   

You've heard the saying, "If only I were a fly on the wall?" The saying essentially reflects on what one might see or hear if they were to go unnoticed in someone's home or office. We all realize that very often what goes on behind closed doors can be very different from that which is projected to the public. And even for those who have nothing to hide, the thought of having everything they say and do be made public outside of their close-knit circle of friends or family is hardly appealing. In fact, most of us take our privacy very personally, and the thought of someone spying on us brings to the surface a plethora of emotion.

In the digital world, such a fly on the wall has been gathering personal information, such as logons (user names and passwords), financial account information and even contents of your e-mail, for quite some time. However, over the last 24 months, it has gained momentum and effectiveness, drawing the attention of security researchers around the globe. This fly on the wall — Coreflood — is one of over 25,000 malicious programs that exist in the wild of the digital world today, known as banking Trojans.

Banking Trojans are malicious code programs that are developed specifically to assist crooks in breaking into online bank accounts and helping you part with your hard earned cash. Coreflood, which first debuted in 2002, has evolved into a particularly effective banking Trojan that targets not only unwitting home users but also information-ripe corporate networks. When mixed with a sophisticated network of organized criminals, such as those Russians referred to as the Coreflood Gang, Coreflood is a dangerous force to be reckoned with.

How does it work?

It usually starts with an innocent visit to an infected website. With no warning, you're redirected to another site where the drama begins to unfold. Your browser downloads the malicious code to your hard drive and is executed. Invisibly to you, the program initiates a search-and-steal mission for any sensitive data on our hard drive. It doesn't stop there. The program, with the proper access and administrative privilege, can spread to other computers on the network, where it begins cultivating data and continues to spread throughout the network.

As Coreflood spreads across the network, it culls through the sensitive data that might reside on systems and captures activities that are being performed by users in real-time. As users log on to their banking account sites, it harvests their user names and passwords and neatly organizes that information for the crooks to review at a later time. As you might imagine, the larger the network, the more information it might gather for the crooks.

To give you an example of how effective this is, a recent discovery of information harvested by a Coreflood attack revealed the data of 8,485 bank accounts, 3,233 credit card accounts, 151,000 e-mail accounts, 4,237 online retailer accounts, 416 stock trading accounts, 869 payment processor accounts, 413 mortgage accounts and 422 finance company accounts, according to Joe Stewart, director of malware research for SecureWorks Inc., who has been researching Coreflood for quite some time.

Make no mistake, this data isn't just sitting around. According to Mr. Stewart, investigations revealed that the crooks use this data. They know the balances of these accounts, and though they move slowly, they've been accessing these accounts and stealing money — in one case, as much as $100,000 in one transaction.

What can you do?

If there's good news to this story, it's that updated virus scanners can alert people to the virus — most of the time. Though the virus evolves, anti-virus software companies update their signature files, sometimes daily, to keep up with the ever-changing threat environment. But because the developers of this code have not released it to the rest of the criminal underworld and seem to be using it for their own evil purposes, some updates to the code will go undetected for a brief period of time, increasing the likelihood of infection and allowing the crooks to cultivate sensitive data.

While the fight continues, be sure to use safe computing practices and to update your anti-virus software regularly. Don't run e-mail attachments if you don't know the sender, and go to only those websites that you know are safe. Check your accounts and credit reports regularly so that you might be tipped off immediately to any fraudulent activity.