Middle East falls prey to Coreflood malware

Online security recently took a hit with news that a gang based in Russia was infecting thousands of PCs with special programs and tools usually used by computer network administrators. There's now evidence that PCs in the Middle East are also infected.

The attacks came to light when Joe Stewart, director of malware at computer security firm SecureWorks, located a central program running at a computer center in Wisconsin controlling as many as 100,000 botnets across the internet. For the uninitiated, a botnet refers to any computer that's set up to forward transmissions such as spam or viruses to other computers on the internet without the user's knowledge.

PCs in the Middle East are now confirmed to be affected as welll. "We can confirm that we have detected and have been tracking machines infected with what is sometimes known as Coreflood within the region," said Ivor Rankin, practice manager of Operational Security Services at Symantec MENA.

The Coreflood bot malware infects machines primarily through compromised websites that visitors unwittingly access. Screen information, in addition to passwords and other personal information, is then transferred to a centralized database for the criminals to use as they please.

There's no way of knowing the exact damage witnessed in the region but it's believed to be considerably lower in comparison to the United States and Europe. "Some of the compromised websites in the region have since been ‘repaired' whilst others remain compromised actively infecting visitors to the site. The volume of visitors to some of these regional websites is fairly high; thus increasing the chances of visiting machines being infected and helping ‘expand' the associated bot network," added Rankin. The control program has since been moved to another computer in the Ukraine, beyond the reach of law enforcement in the United States. The good news is that most antivirus software has been updated to detect the known strains of Coreflood but Rankin warned that, "newer variants are also likely; created either by the group behind this bot network, and by others seeking to create variants of their own."

The attacks only prove the threat of botnets shows no signs of diminishing. "In the GGC alone for the month of January 2008, there were almost 160,000 bots broadcasting. As the majority are in sleeper mode, we estimate the actual number of compromised PC to be closer to half a million. The issue is serious and unlikely to be related to just one particular gang," commented Ian Cochrane, marketing manager of Southern Emerging Markets at TrendMicro.

According to a report by Kaspersky Labs, botnets currently pose the biggest threat to the internet; not spam, viruses and worms as is commonly believed.