Mitigation Strategies for Coreflood Trojan Botnets
Software vulnerabilities are not always a necessity for malicious software (malware) infection and propagation. The Coreflood Trojan is an example of this type of vulnerability-independent malware. It is designed to leverage the natural structure of a Windows network for account compromise and data theft.
Criminals typically utilize infected websites to stealthily infect users. Once the system is infected, the malware remains dormant on the system until someone with a privileged account (system administrator) logs in. Once the system administrator logs into the computer, the malware attempts to traverse the network using a legitimate Windows program, psexec. Later versions of the malware stopped using the psexec tool and implemented a custom tool designed to imitate psexec capabilities. Coreflood was originally discovered in 2001 and continues to evolve as an active threat within the malware market.
US-CERT recommends organizations evaluate the following tactical and strategic mitigations to determine which mitigations they can leverage in their specific environments to minimize and prevent Coreflood Trojan infections.
Included in this ZIP file are:
- Intro Page.doc
- Terms and Conditions.pdf
- Coreflood Trojan Botnet.pdf