In February 2005, a Miami man sued Bank of America for not adequately protecting him against a $90,000 (£57,300), fraudulent wire transfer to the Parex Bank in Latvia.
Joe Lopez was the first online user to sue his financial institution for not protecting his assets from a computer hacker.
Lopez, owner of a computer and copier supply business, accused Bank of America of negligence and breach of contract for not alerting him in advance to the existence of a piece of malware known as 'Coreflood' prior to 6 April, 2004, when the alleged theft took place.
Shortly after the wire transfer occurred, a sum of $20,000 was withdrawn from Parex Bank by unknown individuals, according to the complaint filed in court. The remaining $70,000 was, however, frozen by Latvian banking authorities. Bank of America has since settled the case; neither side has revealed the terms.
"I had probably heard the news about Joe Lopez, but [until recently], I hadn't thought twice about the whole Coreflood episode of a few years ago," admitted Joe Stewart, director of malware research at SecureWorks, in an interview at this summer's Black Hat conference in Las Vegas.
In particular, Stewart recalled hearing that the US Secret Service had found evidence of Coreflood on the Lopez computer.
"The Secret Service actually named Coreflood. That was very surprising. Normally, we don't get the final tally. We don't know who's account got stolen. It's very unusual to actually have a victim that is public, and everybody knows exactly what [was] taken," Stewart said.
Unlike a lot of bots and botnets, most of which exist primarily to relay spam, Stewart said Coreflood has a different agenda: "Its goal is to steal the data directly from users." The much more popular Storm botnet, he said, is more of a nuisance. "Coreflood has a real financial impact for people like Joe Lopez."
Who's behind Coreflood? Stewart declined to say but, in an interview in The New York Times, he suggested that the gang responsible was based somewhere in Russia. He would reveal the name of the group because of ongoing criminal investigations.
When Stewart heard about Lopez, he renewed his research on Coreflood. With the help of Spamhaus, an anti-spam organisation, Stewart and SecureWorks were able to gain co-operation from a Wisconsin-based provider of one of the command-and-control centres for the botnet. What he found was not only the bot's source code but also 50GB of compressed data, searchable in a MySQL database.
Within that database were 378,758 unique bot IDs over a 16-month period. There, for everyone to see, was the time-stamped life cycle — from infection to removal — of each compromised computer. Stewart found the average to be about 66 days.
Method of attack
Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.
"It could happen to anybody — any user who happened to go to the wrong site," said Stewart. If the user also chanced to be on the corporate network when that happened, the bot would then be able to take advantage of that structure and be a threat to everyone on that network.
"So it's not so much a targeted attack," Stewart said. "But I think they have intentionally set a trap for the domain administrator and are leveraging that in order to have access to the entire company."
Later, the criminal gang responsible for the attack can find out which company it has infected by looking into the registry of the infected computer. "They pull out of the registry a separate request to say who is the registered owner the Windows licence. They ship that information back up to the botnet controller."
Just looking at that one command-and-control server in Wisconsin, Stewart estimated that the gang responsible has infected more than 35,000 domains. It may sell those webmail accounts to a spammer, because spammers seek webmail accounts. But, over the years, Coreflood seems to have targeted only banks. Stewart said he knows this from the forensic evidence he's collected.
Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say, by a keylogging application. The Coreflood script will then capture the HTML data on the post-log-in page.
In most cases, that page also contains the account's bank balance. This is so that, after running the test, the hackers have a picture of what the highest dollar amounts are, he said.
"I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account," he said. "We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason [the script] can see that data is to target the biggest accounts first."
Coreflood does not take a screenshot, Stewart said, but rather scrapes the text out of the HTML. "When they run these tools, it leaves a log file behind, and all the post log-in [data]... is saved in that directory. So we have all of the account balances. So we can parse out what everyone's balance is and see actually how much [the thieves] had access to at any one institution."
Off the radar
The problem is that Coreflood has been around since 2001.
"It's unique in that's been around for so long," Stewart said. Moreover, it's unusual that it seems to have been maintained by the same group and is "not something that's been sold to another group", as is the case with some botnets.
The way Coreflood has managed to evade detection, Stewart said, is that it hasn't crept high onto anyone's list of botnets. "It's not on anyone's radar." Yet it's managed to seriously impact some enterprises that use Windows domains. In companies that have been hit, every employee is potentially sending everything they do back to the culprits in Russia.
"To me, [Coreflood] is far more insidious because it doesn't get the attention," said Stewart. Unlike Storm, Coreflood is not constantly in the news. "You're not seeing new social-engineering campaigns every week, not seeing a new news article about it every week talking about all the great innovations the peer-to-peer thing has now. It's been quiet, and just does a few things, and tries not to garner any attention."
So the story of Lopez is significant. It's a tangible event about how online criminals are actually affecting people. It illustrates how much money got taken from an actual bank account, and the real impact on the victim's life. Unfortunately, there are many more botnets — and many more victims to talk about.
