Following the search and seizure of Coreflood botnet operations, the FBI has been examining traffic received at the servers they placed in substitution for Coreflood's C&C servers, and has notified many ISPs and businesses as they identified infected IPs on these public and private networks. To further help with remediation, the FBI has also made the following information available to the security and operations communities to assist network administrators in identifying the presence of PCs infected with the AFcore malware.
Detecting Coreflood Infections
To determine whether infected PCs reside on your network, examine outbound traffic or security, event or traffic logs for HTTP/80 traffic to these IP addresses over the indicated range of dates:
149.20.51.124 - 4/12/2011 to present/future
207.210.74.74 - 4/12/2011 to 4/20/2011
In addition, examine outbound traffic or logs for DNS queries that attempt to resolve the following host names:
taxadvice.ehostville[dot]com
taxfree[dot]nethostplus[dot]net
onlinebooking[dot]nethostplus[dot]net
accounts[dot]nethostplus[dot]net
logon[dot]nethostplus[dot]net
imap[dot]nethostplus[dot]net
pop3[dot]nethostplus[dot]net
schedules[dot]nethostplus[dot]net
mediastream[dot]nethostplus[dot]net
ticket.hostnetline[dot]com
flu.medicalcarenews[dot]org
vaccine.medinnovation[dot]org
ipadnews[dot]netwebplus[dot]net
acdsee.licensevalidate[dot]net
savupdate.licensevalidate[dot]net
wellness.hostfields[dot]net
wiki.hostfields[dot]net
a-gps.vip-studions[dot]net
old.antrexhost[dot]com
marker.antrexhost[dot]com
spamblocker.antrexhost[dot]com
ads.antrexhost[dot]com
cafe.antrexhost[dot]com
coffeeshop.antrexhost[dot]com
dru.realgoday[dot]net
brew.fishbonetree[dot]biz
jane.unreadmsg[dot]net
exchange.stafilocox[dot]net
ns1.diplodoger[dot]com
How to Remove Coreflood
According to the FBI and Microsoft's Digital Crimes Unit, the following methods can be used to remove Coreflood from infected computers you identify:
Download and run the most current version of the Microsoft Malicious Software Removal Tool (MSRT) which will detect and remove Coreflood. MSRT works on Windows 7/Vista/XP and Windows Server 2003/2008. Note that MSRT targets specific malware (MSRT is also available via Microsoft Update, Windows Update and the Microsoft Download Center). For a more thorough scan and removal of other malware as well, download and run the most current version of Microsoft Safety Scanner.
Alternatively, update and run a full scan from your installed Anti-Virus software. Most legitimate Anti-Virus software should now detect and remove Coreflood. A full scan is recommended because the AFCore malware has download-and-execute capabilities which can be used to install other malware in addition to the well-publicized key logging capabilities.