Previous month:
March 2011
Next month:
May 2011

April 2011

Coreflood Detection and Removal

Following the search and seizure of Coreflood botnet operations, the FBI has been examining traffic received at the servers they placed in substitution for Coreflood's C&C servers, and has notified many ISPs and businesses as they identified infected IPs on these public and private networks.  To further help with remediation, the FBI has also made the following information available to the security and operations communities to assist network administrators in identifying the presence of PCs infected with the AFcore malware.

Detecting Coreflood Infections

To determine whether infected PCs reside on your network, examine outbound traffic or security, event or traffic logs for HTTP/80 traffic to these IP addresses over the indicated range of dates:

        149.20.51.124   - 4/12/2011 to present/future
        207.210.74.74   - 4/12/2011 to 4/20/2011

In addition, examine outbound traffic or logs for DNS queries that attempt to resolve the following host names:

taxadvice.ehostville[dot]com
taxfree[dot]nethostplus[dot]net
onlinebooking[dot]nethostplus[dot]net
accounts[dot]nethostplus[dot]net
logon[dot]nethostplus[dot]net
imap[dot]nethostplus[dot]net
pop3[dot]nethostplus[dot]net
schedules[dot]nethostplus[dot]net
mediastream[dot]nethostplus[dot]net
ticket.hostnetline[dot]com
flu.medicalcarenews[dot]org
vaccine.medinnovation[dot]org
ipadnews[dot]netwebplus[dot]net
acdsee.licensevalidate[dot]net
savupdate.licensevalidate[dot]net
wellness.hostfields[dot]net
wiki.hostfields[dot]net
a-gps.vip-studions[dot]net
old.antrexhost[dot]com
marker.antrexhost[dot]com
spamblocker.antrexhost[dot]com
ads.antrexhost[dot]com
cafe.antrexhost[dot]com
coffeeshop.antrexhost[dot]com
dru.realgoday[dot]net
brew.fishbonetree[dot]biz
jane.unreadmsg[dot]net
exchange.stafilocox[dot]net

ns1.diplodoger[dot]com

How to Remove Coreflood

According to the FBI and Microsoft's Digital Crimes Unit, the following methods can be used to remove Coreflood from infected computers you identify:

Download and run the most current version of the Microsoft Malicious Software Removal Tool (MSRT) which will detect and remove Coreflood. MSRT works on Windows 7/Vista/XP and Windows Server 2003/2008. Note that MSRT targets specific malware (MSRT is also available via Microsoft Update, Windows Update and the Microsoft Download Center). For a more thorough scan and removal of other malware as well, download and run the most current version of Microsoft Safety Scanner.

Alternatively, update and run a full scan from your installed Anti-Virus software.  Most legitimate Anti-Virus software should now detect and remove Coreflood. A full scan is recommended because the AFCore malware has download-and-execute capabilities which can be used to install other malware in addition to the well-publicized key logging capabilities.


Lessons learned from Amazon/AWS outage

Phil Wainewright's seven lessons learned from the Amazon outage run the gamut from the benevolent "customers will forgive Amazon because they are Amazon" to a finger-wagging "Did I not warn you to read the label?" However, the most important lessons Phil warns us to learn underscore the concerns I expressed regarding cloud marketing a short while ago.

Cloud security is ultimately bounded by the same constraints as the enterprise - expertise, quality of processes and workflows, technology, monitoring, review, testing... - and also subject to the same if not expanded attack surface [1].

The irony we witnessed from the AWS outages is that putting all your faith and assets into a single cloud puts you into a single point of failure scenario.

Phil warns us not to take cloud provider assurances for granted., supplement your cloud provider's services with resilience/recovery measures of your own, and be prepared to pay more than the cloud invoice every month, because resiliency comes at a cost.