Coreflood botnet - Detection and remediation

On April 13, 2011, The FBI and the Dept. of Justice announced that they had received a temporary restraining order allowing them to disable the Coreflood botnet. Coreflood is believed to have had over 2 million infected "drones" under its control, and was responsible for a wide variety of nefarious activities including DDoS and bank fraud.

Now that the Command and Control servers have been disabled, the primary task at hand is in remediation, as well as the notification of victims.

There often are questions on the best way to identify botnet infections on a local network, and Coreflood is no exception. I've listed below some information that will help identify Coreflood traffic, as well as provide some basic remediation suggestions.

Indicators:

• Outbound traffic on port 80 to IP address 149.20.51.124 and/or 207.210.74.74 corresponding to the following dates: 
• 149.20.51.124   - 4/12/2011 to date
• 207.210.74.74   - 4/12/2011 to 4/20/2011

• DNS queries for the following hostnames:
• taxadvice.ehostville[dot]com
• taxfree[dot]nethostplus[dot]net
• onlinebooking[dot]nethostplus[dot]net
• accounts[dot]nethostplus[dot]net
• logon[dot]nethostplus[dot]net
• imap[dot]nethostplus[dot]net
• pop3[dot]nethostplus[dot]net
• schedules[dot]nethostplus[dot]net
• mediastream[dot]nethostplus[dot]net
• ticket.hostnetline[dot]com
• flu.medicalcarenews[dot]org
• vaccine.medinnovation[dot]org
• ipadnews[dot]netwebplus[dot]net
• acdsee.licensevalidate[dot]net
• savupdate.licensevalidate[dot]net
• wellness.hostfields[dot]net
• wiki.hostfields[dot]net
• a-gps.vip-studions[dot]net
• old.antrexhost[dot]com
• marker.antrexhost[dot]com
• spamblocker.antrexhost[dot]com
• ads.antrexhost[dot]com
• cafe.antrexhost[dot]com
• coffeeshop.antrexhost[dot]com
• dru.realgoday[dot]net
• brew.fishbonetree[dot]biz
• jane.unreadmsg[dot]net
• exchange.stafilocox[dot]net
• ns1.diplodoger[dot]com

Remediation

• Download and install the current version of the Microsoft Malicious Software Removal Tool (MSRT) which will detect and remove Coreflood
• http://www.microsoft.com/security/pc-security/malware-removal.aspx
• Download and install the current version of the Microsoft Safety Scanner which has a full signature set.
• http://www.microsoft.com/security/scanner/en-us/default.aspx
• Install an established Anti-Virus program, ensuring that current updates are applied. Most updated AV software will detect Coreflood.

References:

• The Coreflood Report - Analysis by Joe Stewart at SecureWorks
• Coreflood shutdown - article by eWeek
• Dept. of Justice Press Release