Coreflood botnet - Detection and remediation

From Botnets.fr
Revision as of 22:55, 5 August 2015 by Eric.freyssinet (talk | contribs) (Text replacement - " sempersecurus.blogspot.com" to "")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Coreflood botnet - Detection and remediation
Botnet Coreflood
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2011 / 21 avril 2011
Editor/Conference
Link http://sempersecurus.blogspot.com/2011/04/coreflood-botnet-detection-and.html (Archive copy)
Author André M. DiMino
Type

Abstract

On April 13, 2011, The FBI and the Dept. of Justice announced that they had received a temporary restraining order allowing them to disable the Coreflood botnet. Coreflood is believed to have had over 2 million infected "drones" under its control, and was responsible for a wide variety of nefarious activities including DDoS and bank fraud.

Now that the Command and Control servers have been disabled, the primary task at hand is in remediation, as well as the notification of victims.

There often are questions on the best way to identify botnet infections on a local network, and Coreflood is no exception. I've listed below some information that will help identify Coreflood traffic, as well as provide some basic remediation suggestions.

Bibtex

 @misc{DiMino2011BFR850,
   editor = {},
   author = {André M. DiMino},
   title = {Coreflood botnet - Detection and remediation},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2011},
   howpublished = {\url{http://sempersecurus.blogspot.com/2011/04/coreflood-botnet-detection-and.html}},
 }