A Look At the CoreFlood Botnet 120
CNet is running a story about research from security expert Joe Stewart into the CoreFlood botnet, which has harvested at least "50 gigabytes of compressed data, searchable in a MySQL database," from a group of over 370,000 bot IDs. Stewart explains how the botnet operates and some of the things he's learned about the group that operates it.
"Within the 50GB file, Stewart was able to discern how the thieves culled the data. He said they run a test script against that data that will log via a proxy into the bank using the credentials captured, say by a keylogging application. The CoreFlood script will then capture the HTML data on the post long-in page. In most cases, that page also contains the account's bank balance. They do that, he said, so that after running the test they have a picture of what are the highest dollar amounts. 'I don't know whether they steal from all of them. We don't have access to the accounts; the bank is not going to tell us how much was stolen out of any given account. We're not going to get that information, but we know they're actively logging and checking accounts to collect the balance data. The only reason (the script) can see that data is to target the biggest accounts first,' he said."
Key Generator (Score:5, Interesting)
My Bank (HSBC) gives me a little keychain keygenerator that spits out a 6 digit number when I press the button. All logins must also have the key number... I wonder if this simple measure would stop dead any keylogger attacks like this, OR with enough reasonable time monitoring they could reverse engineer the generator's seeds?
Re: (Score:2, Informative)
I'd like something like that. My bank said if someone gets access to my account I'm screwed. All I have protecting me is having to answer 1 of 3 questions. Mother's maiden name, etc.
--
IP Finding [ipfinding.com]
Re:Key Generator (Score:5, Informative)
Re:Key Generator (Score:5, Interesting)
Re: (Score:3, Interesting)
Well...talking about Mothers maiden name: in one of the bank in China, their online banking software requires me to pick 5 questions to answer from 3 groups, at least one from each. The group are:
Name of family member: brothers, sisters, parents, children, uncle/aunt or grand parents.
Name of teachers: The class master, or language class teacher, or math teacher of elementary, middle, or high school.
Date of birth of the family member.
Then next time when you do sensitive process (change password / change the
Re: (Score:2)
But at least give me a mind of safe.
That's about all you get - 1.1 factor auth is crap compared to RSA keyfobs.
Re: (Score:3, Informative)
Well one thing that I didn't mention, to login into the banking system in a first place, before any of operations can be carried out, you need a digital certificate (and ordinary password and username).
It could either be a USB thumbdrive hardware form issued from the bank, or an imported PFX file.
Re: (Score:2)
I log in to my bank with a password, but every time I want a transaction, an sms is sent to my mobile phone. :)
I think it's secure enough
Re: (Score:2, Funny)
Hmmm...lowish /. ID, mother's maiden name strange, ALIEN! Run!!!!!
Re: (Score:2, Funny)
My mother is called FE31BB076800267D0BA you insensitive clod!
Re: (Score:3, Funny)
Ah, memories. Mrs. FE31BB076800267D0BA always did make the best brownies back in the day.
Re: (Score:2)
Xor Re:Key Generator (Score:1, Funny)
Now Xor that with something descriptive of your mom like LARGEBOVINE.
Re: (Score:2)
Re:Key Generator (Score:5, Informative)
Not only do I use one of those for logging in, but any financial transaction has to be signed with the pad.
For the bank where I have my loans, I have an SSL certificate and signature to confirm my identity.
That same certificate is tied to my national identity card, meaning I can use it for a lot of other things as well.
All in all, I can't understand why the US is so far behind when it comes to online banking.
I mean, I've had this for eight years now, and it'sbeen around longer.
Much love from Sweden ;)
Re: (Score:3, Interesting)
Re: (Score:1)
Because in the US, we're not constantly under attack by Eastern European criminal organizations.
Your RSA key is a result of your environment.
Re: (Score:2, Insightful)
I think the Atlantic Ocean does not help too much protecting the US from Internet fraud.
Re: (Score:3, Insightful)
Uh, RTFA - you are under constant attack from Eastern European criminal organizations.
Re: (Score:1)
Compare that with my Canadian bank account (Bank of Montreal) where the online capabilities are so crippled it's useless to me. I can pretty much only transfer funds among my own accounts, because they don't trust
Re: (Score:1)
Baby steps to the solution (Score:5, Insightful)
One-time-password generators protect against replay attacks, but they do not protect against modified transactions. If an attacker has root on your system, then he can simply escalate the keylogging attack to a live modification of the transaction data.
A better approach would be to use a class 3 card terminal. That's a small computer with a strictly defined purpose and specification (and therefore tremendously easier to secure). It has a display so that you can see the transaction that you authorize, without interference from software on a compromised PC, and it has a keypad so that you can enter the PIN and confirmation, without software on a compromised PC being able to capture any of it. These devices exist. The only reason they're not being used must be that the problem is currently not big enough to justify the cost of giving every customer a card terminal.
Re: (Score:3, Funny)
Sounds like much harder to build right than a electronic voting machine...
Re: (Score:2)
yes, but I expect since real money is involved, this device will be built right.
Re: (Score:2)
There is plenty of money involved e-voting machines. What real money has that e-voting didn't is a paper trail.
Re:Baby steps to the solution (Score:4, Interesting)
Re: (Score:3, Informative)
Several problems with that:
Re: (Score:3, Informative)
Never happened to me, typically sms is on my cellphone 3 second after clicking "send" on page.
You can't install keyloggers on most cellphones.
It's not about two devices. It's about using cellphone instead of separate or no token.
Re: (Score:1)
You can't install keyloggers on most cellphones.
Yet. As Android, Windows Mobile, or Apple's iPhone platform become more used, exploits will be found.
Re: (Score:1)
You can't install keyloggers on most cellphones.
Why not? I guess this is more used by suspicious spouses than anything else, but mobile keyloggers are available at the market. With a few moments alone with your cellphone, it is fully possible for someone to install clandestine software that can relay incoming and outgoing SMS messages to a third party, thus opening the door for a race-for-the-last-key attack.
Re: (Score:1)
Re: (Score:2)
If the validation is done on the client side, then you have the algorithm already. If the validation is done on the server, then all you're doing is taking a code from one text box and pasting it into another. What's stopping the bot from doing that?
Re: (Score:1)
Re: (Score:2)
Sorry, for some reason I misread and thought you were talking about doing this all in the browser without a SecurID or similar.
Re: (Score:1)
but they do not protect against modified transactions. If an attacker has root on your system, then he can simply escalate the keylogging attack to a live modification of the transaction data.
You're talking about the "man in the middle" attack. My bank, SEB, uses the transaction amount as one of the numbers I have to enter into the digipass to generate a pass key. In order to beat that they have to crack my digipass completely and I can't see how they will accomplish that since the digipass isn't connected to the computer in any way.
Re: (Score:2, Informative)
> These devices exist. The only reason they're not being used must be that the problem is currently not big enough to justify the cost of giving every customer a card terminal.
Not being used in the US perhaps... I've had one for several years with Swedbank. They are also used by another major swedish bank, SEB.
http://www.seb.se/digipass
http://www.swedbank.se/sst/inf/out/infOutHjalp/0,3769,55142,00.html
Re: (Score:1)
Ah but my banks one-time-password generate also has a transaction signing function and into this I type in the amount too.
In the UK NatWest have a one-time-password genrator device that fits over your plastic card, talks to the chip. I use the cards pin to make it work. It has the functions "Identify" and "Respond" and "Sign".
The Identify function provide authentication, it basically proves I have possession of my cash point card. AKA the RSA one-time-password, I'd use this number during login online.
The
Re:Key Generator (Score:5, Interesting)
Re: (Score:3, Informative)
This solution already exists in the form of one-time security codes like the RSA SecurID range of products.
Basically it's a PRNG which spits out a number every few minutes which is unique to the customer.
Re: (Score:3, Interesting)
Re:Key Generator (Score:4, Informative)
Why create your own if instead you could use the decades old s/key (http://tools.ietf.org/rfc/rfc1760.txt)
You distro might have this in packages called opie. Debian packages:
opie-client - OPIE programs for generating OTPs on client machines
opie-server - OPIE programs for maintaining an OTP key file
libpam-opie - Use OTPs for PAM authentication
Java implementations can be found eg: http://math.berkeley.edu/~vojta/opiekey.html [berkeley.edu]
Re: (Score:1)
Re: (Score:2)
This solution already exists in the form of one-time security codes like the RSA SecurID range of products.
Basically it's a PRNG which spits out a number every few minutes which is unique to the customer.
The advantage of the mobile phone strategy is it is making use of a device that the user is (with very high probability) already carrying on their person. Most people don't like carrying lots of extra gadgets.
Re: (Score:2, Informative)
The problem is that the carriers are unreliable in timing of delivery even w/o grid problems. So many times I have got text messages and even voice mail hours after it was delivered.
PS. I am with Verison Wireless
Re: (Score:3, Interesting)
The problem is that the carriers are unreliable in timing of delivery even w/o grid problems. So many times I have got text messages and even voice mail hours after it was delivered.
I've had it take 9 months. Admittedly I wasn't in my home country at the time the SMS was sent.
Re: (Score:3, Funny)
wow, I hope that wasn't for paying a bill, you might find your house foreclosed when you get back.
Re: (Score:2)
wow, I hope that wasn't for paying a bill, you might find your house foreclosed when you get back.
As it happens, it wasn't a financial message, but rather an instruction telling us to stay away as the person we were going to visit was ill with laryngitis (or something like that). Alas it was too late even by the time it was actually sent; we'd already booked accommodation in the area.
Curiously, the message arrived about two weeks before she visited us the following year, causing massive confusion! Spooky coincidence, especially given that such visits either way are rare. (The trip is over a thousand mil
Re: (Score:2)
Absolutely hilarious. I laughed for a good 2 minutes after reading that just imagining the chaos that created. Thank you for sharing.
Re: (Score:2)
Tell me about this SMS "message" that was sent when you were out of the country... did it cry alot, look alot like your best friend, and come with a child-support payment?
Re: (Score:3, Informative)
Most China payment gateway (for processing online Credit/Debit cards transaction) do this. You need type the one time password from the text message sent to the registered phone.
Generally I hate this a lot unless they offer an alternative: Think when you are traveling, which I do a lot. Luckily, the payment gateway is only used to authorize China's website online transaction, but not every other online credit card transactions so I am not seriously affected (yet).
Re: (Score:1, Troll)
Re: (Score:1)
No, that's a bad solution. Mobile phone reception in my house is unreliable at best. Ironically, I live on the top of a hill, in sight of several radio masts in a major US west coast city.
Re: (Score:2)
No, it is a good solution. It's true two-factor security. It's just not a good solution for you.
Re: (Score:1, Redundant)
Re: (Score:2)
Is this with HSBC in Canada? I've been looking for a new bank...
Re: (Score:2)
No, HSBC Hong Kong...
Re:Online banking? Sign me up!!!! (Score:4, Funny)
Re: (Score:1)
Re:Online banking? Sign me up!!!! (Score:4, Interesting)
Re: (Score:2, Informative)
Re: (Score:1)
Re: (Score:2)
Yes.
They're one time use.
Re:Online banking? Sign me up!!!! (Score:5, Informative)
Re: (Score:2)
That won't do any good. If attackers can install a keylogger, they have the ability to take screenshot, or some other means of determining the numbers. Of course, as you say, the security comes from being a OTP. After a transaction code has been used, its security is irrelevant. In fact, here's one of my previous TANs, no keylogger required: W8PBB2.
Criminal (Score:1)
I wish i was criminally inclined - it must be fun getting that stuff up and running!
Re:Criminal (Score:4, Interesting)
Re:Criminal (Score:4, Insightful)
Umm, no. Playing Civilization on computer can be fun even if you are not inclined being a dictator or conqueror.
Re: (Score:2, Interesting)
Maybe just technically interested. Writing and setting up a botnet like this one withing the limitations inherent to something that's illegal sounds like an interesting challenge.
Re: (Score:1)
Re: (Score:1)
And you must be no geek. It's possible to admire a system that has parts doing really neat stuff without approving of the system's purpose as a whole.
..as interest in sports makes one an olympian. (Score:4, Insightful)
Re: (Score:1)
Not even remotely. But i do like a challenge. And security in general is a fascinating subject.
I just think it would be technically very interesting.
Re: (Score:2)
The means and methods of such a system are very interesting to some of us, even if we really have no interest in actually achieving the criminal result. But I know, everyone who reads novels about serial killers really wishes it were them.
Useful information... (Score:5, Funny)
Botnets need to start logging something useful.
Like slashdot accounts with moderator points.
Security Expert Joe Stewart (Score:2, Funny)
First I thought "so that's what he's going to do without George Bush in the Whitehouse" but then I realized it's Joe the Security Expert, not Jon the Daily Show host.
I am skeptical (Score:3, Insightful)
Anytime I read "it could happen to anybody" in a security article, I am always skeptical. I think "it could happen to any *average* computer user/net surfer" is a better adage.
Most here assembled, though not 100 percent immune, are far less susceptible than an "average" user to any sort of malware infection.
Re: (Score:2)
Why? It's a drive by download against some unnamed browser (probably but not definitely IE). You don't have to visit shady sites to get those - these days they hack poorly protected legitimate sites and embed the exploit code into otherwise harmless pages.
Re: (Score:2)
"Why? It's a drive by download against some unnamed browser (probably but not definitely IE). You don't have to visit shady sites to get those - these days they hack poorly protected legitimate sites and embed the exploit code into otherwise harmless pages."
Most IT jocks (formerly nerds and geeks):
1. use less-exploitable browsers, e.g. Firefox
2. use a less-exploitable OS, e.g. Linux, OS10
3. are less likely to visit dodgy websites
4. are less likely to respond to "Cum see Brittny Speers nekkid at our website!
Re: (Score:2)
I don't think that's valid. Past exploits have used syndicated advertising, e.g. DoubleClick [theregister.co.uk], Falk [theregister.co.uk].
Re: (Score:1)
We're momentarily immune. This just gives me cause to worry about all the security exploits that are doubtless lurking beneath running Firefox 3 on Linux, and will begin to be exploited if we gain much more market share.
In general, I don't see how I'm any safer than the average user, except that I have a reasonable understanding of what looks fishy in my browser. But really, it's not the things I can see that worry me, it's the things I cannot see, and I cannot see anything that prevents malware from hiding
Re: (Score:1)
Apparently, Coreflood would enter a network via a drive-by browser exploit, download a copy of the installer, then run PcExec, a legitimate Windows administration tool available from Microsoft.
"It could happen to anybody," Stewart said, "any user who happened to go to the wrong site." If the user also happened to be on the
Re: (Score:1)
Most here assembled, though not 100 percent immune, are far less susceptible than an "average" user to any sort of malware infection.
It could happen to anyone who uses windows is more accurate. I have seen smart people with current virus scanners and anti-spyware tools still suffering from DNS hijacking and spaming worms.
You only have to look at one dodgy website once. Having virus scanners and all the latest updates will not prevent infection.
Re: (Score:2)
Office Space (Score:2)
I probably wouldn't notice a few cents missing from my account once a month, I bet there's several thousand other people who wouldn't either.
this is a god way to do it. (Score:1, Interesting)
My bank (SEB Sweden) use a token from vasco,
Login works like this,
username: birthdate+personalnumber (something like social security number)
passwd: code generated by 2 numbers from the webpage punched into the token
when you are done and want to make you transaction i punch in 1 number from the webpage and the amount of the transfer, and get a number back to sign the transaction.
I believe this is pretty secure since you aprove that amount to be transfered and the amount is in the code i sign the transfer wi
So how do we stop this? (Score:1)
Target biggest first? (Score:5, Interesting)
"The only reason (the script) can see that data is to target the biggest accounts first,' he said."
That depends on the objective and tactics of the attacker:
Although the obvious assumption is that the attacker wishes to gain as much money as possible with a minimal chance of being caught, it may be that (s)he is less greedy and/or more cautious.
Suppose that your target is a total of, say, $200K rather than the assumed multi-millions. You are far less likely to be caught or to trigger money-laundering precautions. In a case like this your best strategy might well be to go for above-average but not top 10% balances.
Similarly, if you ARE going for the maximum while still hoping your chance of being caught is low, it may well be worth steering clear of the very highest balances as they could be more closely monitored (and some of them are probably "honeypots").
Re: (Score:2)
Don't forget, one of the oldest ways to steal is by the fraction of a penny -- "rounding up" and "rounding down" and diverting the fraction to an account where the thief can collect it as it adds up.
This is the same idea behind transaction fees of all kinds -- just collect a tiny amount every time money changes hands (every time, and every transaction).
Re: (Score:3, Insightful)
Yes, but to do this properly would generally require someone to have access to the internal programming of the banking system. Making 1 cent transactions might be possible, but they will certainly show up and be more noticeable than if 1 cent just disappeared from the balance. If your account has 200 transactions a month and carries a balance over $20000, you're only going to try to balance that so many times before you give up trying to find the penny. Heck, you could lose a dollar or two at that rate a
Re: (Score:2)
This isn't my area of expertise (I don't have one), but I think this makes sense. The ideal target accounts would see a fairly large number of transactions without being really big accounts, meaning there would be a lot of "noise" (leg
Any USA banks? (Score:1)
Re: (Score:2)
M&T does - If you have a business account, anyway.
Possible Solution... (Score:1)
A proprietary interface that would be distributed by the bank when you open your account.
Each interface would have a distinct set of code in it, this would be different in each package-say for example half of a virus.
When somebody else attempts to do a man in the middle attack, or keylogging to access your account, they would be attacked by the other half of the virus.
It could do something like just shut their syst
Dunno what's comming but its epic. (Score:2)
Anonymous is legion. CoreFlood is legion*s*.
Like in a legion of legion, legion^2.
So strong in numbers it is a force of nature, taking into account that it is competing with the Storm, or do they coexist nicely?
Is there any way to pit both networks against each other? I just hope it doesn't degrade into a bot-on-bot sin-fest, spawning little bot-nets into each and every single Internet in the web.
Alas, with what is known, could WE build this bot-net eating bot-net? I know it
Where? (Score:2)