LAS VEGAS -- In a surprising finding, a security firm has found that a data-stealing Trojan horse program -- long thought to have disappeared into obsolescence -- is still infecting computers today and has amassed a database of hundreds of thousands of login credentials.
This week, security firm SecureWorks announced that it had tapped into the command-and-control network that gives orders to the computers infected by the Coreflood Trojan, a program first discovered in 2002, but found to be spreading today. For six years, the Coreflood Trojan horse has spread slowly and deliberately, first using Internet Relay Chat (IRC) as a way to receive commands from its controllers. Today, the estimated 90,000 machines take their marching orders over the same communications path as Web servers, Hypertext Transfer Protocol (HTTP), said Joe Stewart, director of malware research for SecureWorks.
"I just assumed it had gone away," Stewart said. "This shows that you can have very good longevity, you can have three years of uninterrupted success as along as you don't send a lot of e-mail to people's inboxes."
Antivirus firms first released signatures for the Coreflood program in 2002, according to Stewart, but he and most other researchers did not first notice the program until 2003. In May 2005, the Coreflood Trojan hit the limelight when it compromised a businessman's computer, leading to a transfer of approximately $90,000 to the attackers.
In the latest report, SecureWorks said that the software appears to not be sold on any forums nor be used by any other cybercrime groups suggesting that the botnets created by Coreflood are still operated by the same group. The server found by SecureWorks stored nearly a half million account credentials, including the login names and passwords fro 3,233 credit-card accounts, 8,485 bank accounts, and 151,000 e-mail accounts, the company said.
The researcher has collected evidence that suggests the Trojan is controlled by two botnet operators living in southern Russia. Law enforcement has shown some interest in pursuing the case, he said.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos