The Coreflood botnet seizure by the FBI has been well documented by the Justice Department in the April 12, 2011 Complaint. Blogger, Gary Warner, does an excellent job reviewing the legal case and the 10-year history of the Coreflood botnet. That’s right, 10 years! Our contribution to the discussion is to underscore the importance of the role of the Service Provider in every company’s security profile. Customer, partner and supplier networks make up the extended enterprise. Companies rely on these networks to conduct business. Internet Service Providers (ISPs) deliver the underlying backbone for these operations. In this article, I spotlight the ISPs involvement and offer a reminder that ‘risks that go unmanaged are risks accepted’.
Coreflood Botnet Exploited Service Provider Networks for 10 Years:
• Employed key-logging malware to commit millions of dollars in wire and bank fraud
• Infected 2.3 Million bots, with 78% of those residing within the US.
• Went unnoticed withing ISP Networks due to lack of cyber situational awareness, visibility, urgency, and accountability.
• Highlighted a major security concern for government and corporations that rely on ISPs to conduct daily business operations
What is Coreflood and Why is This Important?
Coreflood is one of the oldest botnets in operation. It has gained fame due to the extraordinary intervention the Justice Department recently took to seize control of the expansive botnet. But its impact has been documented for years in various exploits resulting in millions of infected computers and unique bots, stolen banking, credit card, email, and social site passwords, and more than a few feature stories including NBC’s The Fleecing of America. Over its 10-year run, Coreflood employed key-logging malware to commit millions of dollars of wire and bank fraud. The Coreflood malware infected 2.3 million bots and maintained a significant presence in the United States. The FBI complaint lists some of the major ISPs that the botnet operators used in their C&C (Command and Control) infrastructure, including: 2 ASNs (Autonomous Systems), 24 domain names (60, including tertiary), 15 DNS Providers, and 18 Registrars. Coreflood was able to operate continuously due to the lack of accountability of Service Providers and lack of visibility into their networks.
Why is it Essential to Examine Service Providers?
Service providers deliver the basic infrastructure of the Internet and the Web upon which everybody – governments, large and small commercial enterprises, critical infrastructure providers, consumers, and the bad guys – depends, including:
• Hosting, Cloud
• Email, Web, e-commerce
• Domain registration and DNS
• SSL (Certificate Authorities)
Service providers are the key to understanding the cascading effects of incidents – malicious or configuration errors. While performance among ISPs varies widely, when considering the length of time that Coreflood was operational, and the relative prominence within many ISPs, it is safe to conclude that in general their security posture is weak. The ISP community maintains an environment in which malicious networks can thrive and therefore all who depend on the Internet are at risk.
How Can We Understand and Reduce Our Risk?
While threat intelligence and network reputation services provide some measure of response to the problem, these offerings have not proven to be truly effective. For the most part, this is because they address a limited problem space – malicious host categorization – and focus on the symptoms rather than the cause. We are awash in services that detect and monitor phishing, spam, botnets, and malicious hosts. Largely missing from these services are detection and monitoring of the Routing and DNS infrastructure that are responsible for the transit of all network traffic. Mis-configured or vulnerable routers and DNS servers have enormous risk implications.
In conducting some recent analysis, the infrastructure entity names in the Coreflood complaint are represented within our cyber situational awareness platform as part of its baseline routing database that serves to map and track all possible Internet routes between and through Autonomous Systems (AS). These entities were previously tagged with malicious associations and within two days of the filing, we could see the effects of the ‘trap and trace’ order, including the provisioning of the replacement C&C and authoritative DNS servers. In the tables on the following page, we list the ASNs used and their role and the nameservers and the total number of domains served by each nameserver (below).
Having this knowledge and awareness is the first step to being able to manage the risk that is ever present. With this information, we can identify critical assets as well as problem areas. In the below figure, we show examples of routing monitors set up to monitor gnax.net, the autonomous system and specific CIDR block for one of the primary Coreflood Controllers. In these screenshots, we see evidence of localized malicious activity in the CIDR, unusual peering activity, unusual CIDR size distribution, and an alert for potential prefix hijacking. This information serves as a basis for proactively monitoring for DNS and Border Gateway Protocol (BGP) anomalies.
Call to Action
It’s well past time for ISP scorecards. The vast majority or organizations are in the dark when it comes to understanding the performance, or even identity, of the organizations that manage or are directly involved in their routing, DNS, email Web servers, and SSL infrastructure. This information is knowable and can be managed and secured. Large organizations seeking to identify their supply chain risk and Information Sharing and Analysis (ISACs) can play a leading role in implementing systems that let ISPs know they are being monitored, evaluated, and held accountable.