Coreflood: April 2011

The Coreflood Trojan infected user computers and transferred banking credentials and other sensitive information to the botnet’s command-and-control servers. The FBI seized the servers April 13 and replaced them with new servers to push out new instructions to disable the Trojan on user machines.

U.S. Marshals seized servers located at five hosting providers in seven U.S. cities—Denver; Scranton, Pa.; Kansas City, Mo.; Dallas; Chicago; Seattle; and Columbus, Ohio—to shut down Rustock, which at one point was singlehandedly pumping out nearly half of the world’s spam. Microsoft also blocked the IP addresses controlling the botnet as part of the March 16 takedown.

The Dutch National Crime Squad’s High Tech Crime Team seized 143 C&C servers controlling Bredolab and arrested the person running the operation Oct. 26, 2010. However, Blue Coat’s malware lab continues to see new samples of Bredolab malware, suggesting the botnet is “still running strong, just in a different form,” Cummins said. Since Bredolab was sold as an online kit, new networks could emerge with the same behavior and characteristics as the old one.

Security vendor LastLine led the efforts to take down 20 of the 30 C&C servers associated with Pushdo in August 2010. Even though some of the servers weren’t shut down, Blue Coat researchers have not seen any Pushdo activity since December, so it appears safe to say Pushdo is inactive.

A Virginia federal judge issued a temporary restraining order that authorized Microsoft to cut off 277 Internet domains associated with Waledac on Feb. 22, 2010. However, Blue Coat researchers still intercept 80,000 to 150,000 requests resembling the original Waledac C&C traffic. There’s speculation that Waledac 2.0 and Kelihos are the same botnet.

FireEye’s researchers noticed that C&C servers belonging to Harnig stopped responding shortly after Rustock was taken offline, suggesting there was some kind of a relationship between the two botnets. Even though there has been no Harnig-related activity for some time, with the servers remaining under the owners’ control, a resurrection remains possible.

Security firms Defense Intelligence and Panda Security collaborated to shut down Mariposa in December 2009. Furthermore, police in Spain arrested three men who ran the botnet in March 2010. One of the largest malware botnets in operation at the time, it stole bank account details and log-in credentials, and used enslaved PCs to launch denial-of-service attacks.

Zeus/SpyEye is a little unusual. While a few Zbot networks have been taken offline, it continues to proliferate because it is available on underground markets as a crimeware kit that anyone can use to create their own botnet, said Richard Wang, manager of Sophos Labs. “The takedowns of individual Zeus botnets are less significant,” said Wagner.

Like Harnig, Swizzor appears to have ceased operations on its own. ESET’s researchers detected a decline in Win32/Swizzor infections and found that the botnet had stopped distributing new malware in February. Win32/Swizzor evaded detection through highly obfuscated code, frequent updates and anti-emulation tricks. It’s not known why Swizzor’s operators shut down.

The botnet is presumed long dead after the FBI arrested mastermind Oleg Nikolaenko on Dec. 2, 2010. The spam operation netted Nikolaenko $465,000 during a six-month period, authorities said.