Following the search and seizure of Coreflood botnet operations, the FBI has been examining traffic received at the servers they placed in substitution for Coreflood's C&C servers, and has notified many ISPs and businesses as they identified infected IPs on these public and private networks. To further help with remediation, the FBI has also made the following information available to the security and operations communities to assist network administrators in identifying the presence of PCs infected with the AFcore malware.
Detecting Coreflood Infections
To determine whether infected PCs reside on your network, examine outbound traffic or security, event or traffic logs for HTTP/80 traffic to these IP addresses over the indicated range of dates:
220.127.116.11 - 4/12/2011 to present/future
18.104.22.168 - 4/12/2011 to 4/20/2011
In addition, examine outbound traffic or logs for DNS queries that attempt to resolve the following host names:
How to Remove Coreflood
According to the FBI and Microsoft's Digital Crimes Unit, the following methods can be used to remove Coreflood from infected computers you identify:
Download and run the most current version of the Microsoft Malicious Software Removal Tool (MSRT) which will detect and remove Coreflood. MSRT works on Windows 7/Vista/XP and Windows Server 2003/2008. Note that MSRT targets specific malware (MSRT is also available via Microsoft Update, Windows Update and the Microsoft Download Center). For a more thorough scan and removal of other malware as well, download and run the most current version of Microsoft Safety Scanner.
Alternatively, update and run a full scan from your installed Anti-Virus software. Most legitimate Anti-Virus software should now detect and remove Coreflood. A full scan is recommended because the AFCore malware has download-and-execute capabilities which can be used to install other malware in addition to the well-publicized key logging capabilities.