Difference between revisions of "Coreflood botnet - Detection and remediation"

From Botnets.fr
Jump to navigation Jump to search
 
m (1 revision imported)
(No difference)

Revision as of 15:22, 7 February 2015

(Publication) Google search: [1]

Coreflood botnet - Detection and remediation
Botnet Coreflood
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2011 / 21 avril 2011
Editor/Conference
Link http://sempersecurus.blogspot.com/2011/04/coreflood-botnet-detection-and.html sempersecurus.blogspot.com (sempersecurus.blogspot.com Archive copy)
Author André M. DiMino
Type

Abstract

On April 13, 2011, The FBI and the Dept. of Justice announced that they had received a temporary restraining order allowing them to disable the Coreflood botnet. Coreflood is believed to have had over 2 million infected "drones" under its control, and was responsible for a wide variety of nefarious activities including DDoS and bank fraud.

Now that the Command and Control servers have been disabled, the primary task at hand is in remediation, as well as the notification of victims.

There often are questions on the best way to identify botnet infections on a local network, and Coreflood is no exception. I've listed below some information that will help identify Coreflood traffic, as well as provide some basic remediation suggestions.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2011BFR850,
   editor = {},
   author = {André M. DiMino},
   title = {Coreflood botnet - Detection and remediation},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2011},
   howpublished = {\url{http://sempersecurus.blogspot.com/2011/04/coreflood-botnet-detection-and.html sempersecurus.blogspot.com}},
 }