Coreflood/AFcore Trojan Analysis

In the past several years we've seen many botnets come and have even seen some go. Some die because they are replaced by other code, some die (not often enough) because their owners go to jail. During this time, we've seen one botnet which has quietly flown under the radar since at least 2002. Coreflood (or "AF", as the author has dubbed it) started out as an internet relay chat (IRC) bot used for attacking other IRC users. Over time however, it evolved into a TCP proxy as part of an anonymity service, and then later into a full-fledged infostealer trojan. We wrote about the proxy component when it was first developed in 2003. Since that time Coreflood has maintained a much lower profile while other more prolific botnets came to the forefront of public attention. However, just recently the group behind Coreflood has escalated their activity and the trojan is beginning to be noticed again.

SecureWorks already had countermeasures in place for its clients to protect against the Coreflood Trojan and its variants and immediately notified research partners, anti-virus vendors and law enforcement officials upon discovering the scam.

Coreflood is very recognizable if you've ever unpacked its code in a debugger - there are dozens of programmer-inserted debug strings in the trojan, which is quite unusual to see in malware.