Archive for the ‘FBI’ Category

FBI warns against hotel net connections

May 22nd, 2012 No comments

The Federal Bureau of Investigation (FBI) issued a warning earlier this month that travelers should be careful using Internet connections in hotels. Some travelers had inadvertently downloaded malicious software onto their computers when they accepted fake security updates.

Reportedly, hackers had compromised hotel networks (mainly outside of the United States) so that when travelers tried to log on they would see a pop-up window indicating they needed to update their computer in order to get Internet access. The updates were actually malicious software designed to gain control of your computer and steal your personal information.

We recommend that you turn on automatic updating and visit Microsoft Update before you travel to help ensure that your computer is up to date. You can also increase your safety by connecting to the Internet in hotels through a cable instead of using a wireless connection.

Conquering the Coreflood botnet

May 10th, 2011 No comments

The FBI and U.S. Department of Justice announced an operation to take down the Coreflood botnet.

The term bot is short for robot. Criminals distribute malicious software (also known as malware) that can turn your computer into a bot (also known as a zombie). When this occurs, your computer can perform automated tasks over the Internet, without you knowing it.

Criminals typically use bots to infect large numbers of computers. These computers form a network, or a botnet.

To avoid becoming part of a cybercriminals botnet, see How to better protect your PC with botnet protection and avoid malware.

Microsoft supports the effort to take down this and other botnets, and we’ve added Coreflood malware detection to the Microsoft Security Scanner.

For more information, see FBI and DOJ take on the Coreflood botnet.


MSRT April ‘11: Win32/Afcore

April 13th, 2011 Comments off

This month, the MSRT team added the Win32/Afcore family of trojans to its detections. This malware is also known as Coreflood.

It has evolved over time, first breaking onto the scene in 2003. At the time, it was encountered when visiting a malicious web page containing obfuscated VBScript and detected as TrojanDropper:VBS/Inor.B. Using hexadecimal encoding, the VBScript dropper would create an executable, detected as Backdoor:Win32/Apdoor.C. Its main functionality was somewhat simple then and the malware referred to itself as “AICORE” in its debug messages.

The threat family dropped off in telemetry in 2009 and also during this time, it became part of a command & control network, or botnet. The sophistication of the malware increased, by spawning multiple processes and through the use of obfuscation and anti-emulation methodology.

During the evolution and changes to what is now known as Afcore, the communication sent by the malware to the C&C server remains technically the same. The malware makes use of debug messages for version tracking purposes. Some of the debug strings include the following:

  • COM2PLUS_MessageWindowClass
  • Version 3.1-test22(tv7) built on 06/11/08 at 15:32:57
  • Basename: %s, PID: %d (%s)
  • Octopus PID: %d(%i)
  • Shutting down AF . . .
  • Restarting AF . . .
  • Respawning AF . . .
  • User is logging off (%h)
  • AF has exited (%d): %s
  • Windows day %d has elapsed
  • AF 3.1-test22 has caused exception %h at %s+%h (%h)

Win32/Afcore comprises two components, a dropper and installed malware that runs as a backdoor. The backdoor component is injected into running processes and connects to a remote server to retrieve commands that are executed on the affected system. Commands could include instructions to steal passwords, attack other computers and so on. When the dropper is executed, it creates randomly named executable and data files, such as the following:

%TEMP%\gnfl.dll – Win32/Afcore
C:\Windows\System32\iaspojcy.dil – Win32/Afcore
C:\Windows\System32\iaspojcy.dat – data file
C:\Windows\System32\comrspl.dat – data file
C:\Windows\System32\kbdmlv47.dat  – data file

The registry is modified to execute Win32/Afcore at Windows start, as indicated below in these examples of modified registry data:

In subkey: HKLM\Software\Classes\CLSID\{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}
Sets value: "(default)"
With data: "iaspojcy"

In subkey: HKLM\SOFTWARE\Classes\CLSID\{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}\InprocServer32
Sets value: "(default)"
With data: "C:\Windows\System32\iaspojcy.dil"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellIconOverlayIdentifiers\iaspojcy
Adds value: "(default)"
With data: "{B22FE457-E4C9-7E85-2AE3-0AF0B4E3A03C}"

The registry changes allow Win32/Afcore to execute when Windows Explorer runs and when Internet Explorer is launched.

Win32/Afcore injects code from a utility “jb.dll”, known as “jailbreak tool”, to export certificates marked as non-exportable from the Windows certificate store. The certs could then be used by an attacker to access online banking sites in an unauthorized manner. The malware could also perform the following actions:

  • modify the registry to run at Windows start
  • steal private certificates
  • restart or shutdown its currently running process
  • monitor window sockets
  • make connections to a remote host to transmit data

Additionally, Win32/Afcore could monitor network traffic to steal credentials associated with performing online mobile payments. The malware contains the following strings that it uses when monitoring traffic:

  • telegraphic
  • swift
  • remittance
  • foreign
  • s.w.i.f.t
  • cross-border

Win32/Afcore contains code that assist in capturing traffic and stealing information communicated when visiting websites containing the following strings, two of which are associated with National Health Service sites:

  • **
  • **
  • *.hilton.*
  • *.yahoo.*
  • *.google.*

The trojan monitors communication sent via secure hypertext transfer protocol (HTTPS) as well. Win32/Afcore has been known to communicate with servers named “” and “”. The IP addresses reported for these servers were located in Germany.

The addition of Win32/Afcore to MSRT this month comes at the request of the FBI and the Department of Justice to support a takedown operation which is discussed here:

Microsoft is pleased to work with law enforcement, industry and academia when it leads to a safer computing environment for all of us. It is gratifying to see law enforcement agencies around the world taking aggressive steps to curb criminality on the Internet. Kudos to all of those involved.


— Jaime Wong & Jeff Williams, MMPC

Categories: botnets, DoJ, FBI, MSRT, Win32/Afcore Tags: