Here’s a little information from ESET’s point of view about the Coreflood botnet, whose C&C (Command and Control) servers were taken down yesterday by the Department of Justice. The Coreflood bot is detected by ESET products as Win32/Afcore and has been active since the early years of the last decade (certainly since 2001), though our statistics indicate particularly strong activity between 2007 and 2009, peaking dramatically around the end of 2008. It has been relatively quiet (in terms of infection volume). It has shown a moderate upward trend in recent months, so this takedown may be particularly well-timed.
However, the significance of Coreflood doesn’t lie in its size. Its forte has been financial fraud and general password-stealing (credit cards, banking, email and social media credentials) rather than high-volume, high-visibility spamming or DDoS attacks: if anything, it was intended to stay below the radar as much as possible. Generally, then, the consequences of the takedown won’t be obvious to most people: we don’t expect to see a dramatic dip in spam volumes, and the potential victims who’ll now be spared its intentions won’t be aware that they’ve been spared. In any case, botnets are like buses: there’ll be another one along in a minute.
You might find these links informative, too:
David Harley CITP FBCS CISSP
ESET Senior Research Fellow