April 21, 2011

Coreflood botnet - Detection and remediation

On April 13, 2011, The FBI and the Dept. of Justice announced that they had received a temporary restraining order allowing them to disable the Coreflood botnet. Coreflood is believed to have had over 2 million infected "drones" under its control, and was responsible for a wide variety of nefarious activities including DDoS and bank fraud.

Now that the Command and Control servers have been disabled, the primary task at hand is in remediation, as well as the notification of victims.

There often are questions on the best way to identify botnet infections on a local network, and Coreflood is no exception. I've listed below some information that will help identify Coreflood traffic, as well as provide some basic remediation suggestions.


  • Outbound traffic on port 80 to IP address and/or corresponding to the following dates: 
    •   - 4/12/2011 to date
    •   - 4/12/2011 to 4/20/2011
  • DNS queries for the following hostnames:
    • taxadvice.ehostville[dot]com
    • taxfree[dot]nethostplus[dot]net
    • onlinebooking[dot]nethostplus[dot]net
    • accounts[dot]nethostplus[dot]net
    • logon[dot]nethostplus[dot]net
    • imap[dot]nethostplus[dot]net
    • pop3[dot]nethostplus[dot]net
    • schedules[dot]nethostplus[dot]net
    • mediastream[dot]nethostplus[dot]net
    • ticket.hostnetline[dot]com
    • flu.medicalcarenews[dot]org
    • vaccine.medinnovation[dot]org
    • ipadnews[dot]netwebplus[dot]net
    • acdsee.licensevalidate[dot]net
    • savupdate.licensevalidate[dot]net
    • wellness.hostfields[dot]net
    • wiki.hostfields[dot]net
    • a-gps.vip-studions[dot]net
    • old.antrexhost[dot]com
    • marker.antrexhost[dot]com
    • spamblocker.antrexhost[dot]com
    • ads.antrexhost[dot]com
    • cafe.antrexhost[dot]com
    • coffeeshop.antrexhost[dot]com
    • dru.realgoday[dot]net
    • brew.fishbonetree[dot]biz
    • jane.unreadmsg[dot]net
    • exchange.stafilocox[dot]net
    • ns1.diplodoger[dot]com



No comments: