Coreflood/AFcore Trojan Analysis

Highlights

One of the oldest botnets in continuous operation (+6 years)

Motive turned from DDoS to selling anonymity services to full-fledged bank fraud

Entire Windows domains infected at once (thousands of computers at some organizations)

Over 378,000 computers infected during 16-month time frame

Infected businesses, hospitals, government organizations, and even a state police agency

In the past several years we've seen many botnets come and have even seen some go. Some die because they are replaced by other code, some die (not often enough) because their owners go to jail. During this time, we've seen one botnet which has quietly flown under the radar since at least 2002. Coreflood (or "AF", as the author has dubbed it) started out as an internet relay chat (IRC) bot used for attacking other IRC users. Over time however, it evolved into a TCP proxy as part of an anonymity service, and then later into a full-fledged infostealer trojan. We wrote about the proxy component when it was first developed in 2003. Since that time Coreflood has maintained a much lower profile while other more prolific botnets came to the forefront of public attention. However, just recently the group behind Coreflood has escalated their activity and the trojan is beginning to be noticed again.

http://www.secureworks.com/research/threat...hreat=coreflood

Ted.