The U.S. Justice Department and the FBI were granted unprecedented authority this week to seize control over a criminal botnet that enslaved millions of computers and to use that power to disable the malicious software on infected PCs.
The target of the takedown was “Coreflood,” an infamous botnet that emerged almost a decade ago as a high-powered virtual weapon designed to knock targeted Web sites offline. Over the years, the crooks running the botnet began to use it to defraud owners of the victim PCs by stealing bank account information and draining balances.
Coreflood has morphed into a menacing crime machine since its emergence in 2002. As I noted in a 2008 story for The Washington Post, this is the same botnet that was used to steal more than $90,000 from Joe Lopez in 2005, kicking off the first of many high profile lawsuits that would be brought against banks by victims of commercial account takeovers. According to the Justice Department, Coreflood also was implicated in the theft of $241,866 from a defense contractor in Tennessee; $115,771 from a real estate company in Michigan; and $151,201 from an investment firm in North Carolina.
By 2008, Coreflood had infected some 378,000 PCs, including computers at hospitals and government agencies. According to research done by Joe Stewart, senior malware researcher for Dell SecureWorks, the thieves in charge of Coreflood had stolen more than 500 gigabytes of banking credentials and other sensitive data, enough data to fill 500 pickup trucks if printed on paper.
On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 unknown (“John Doe”) defendants responsible for running Coreflood, and was granted authority to seize 29 domain names used to control the daily operations of the botnet. The government also was awarded a temporary restraining order (TRO) allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.
The government was able to do this because it also won the right to have the Coreflood control servers redirected to networks run by the nonprofit Internet Systems Consortium (ISC). When bots reported to the control servers – as they were programmed to do periodically – the ISC servers would reply with commands telling the bot program to quit.
ISC President Barry Greene said the government was wary of removing the bot software from infected machines.
“They didn’t want to do the uninstall, just exit,” Greene said. “Baby steps. But this was significant for the DOJ to be able to do this. People have been saying we should be able to do this for a long time, and nobody has done what we’re doing until now.”
No U.S. law enforcement authority has ever sought to commandeer a botnet using such an approach. Last year, Dutch authorities took down the Bredolab botnet using a similar method that directed affected users to a Web page warning of the infection. Last month, Microsoft took down the Rustock spam botnet by convincing a court to grant it control over both the botnet’s control domains and the hard drives used by those control servers.
Andrew Fried, a botnet expert who runs Deteque, a security consultancy in Alexandria, Va., said the action was a long time coming, but he applauded the feds for making it happen. “We finally saw exactly how effective law enforcement and our judicial system can be when they attack problems using strategic rather than political methods,” Fried said.
Greene said the job now falls to ISPs, security firms, and Microsoft to help clean up the pool of PCs that remain infected with Coreflood. Microsoft this week shipped an update to remove Coreflood from Windows machines of users who take advantage of the Malicious Software Removal Tool, an anti-malware tool offered through Windows Updates and Automatic Update that looks for and removes many families of infectious software.
Some readers may be alarmed by this news because they are wary of any government actions that involve access to individual computers. Wired.com’s Kim Zetter writes that the Electronic Frontier Foundation is uneasy with the government’s move, which called it “an extremely sketchy action to take.” However, as noted cybercrime expert Gary Warner points out in his blog, the government is offering computer users affected by the this week’s takedown the option to “opt out” of the terms of the temporary restraining order.
“The Department of Justice and FBI, working with Internet service providers around the country, are committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood,” the FBI’s press release states. “Identified owners of infected computers will also be told how to ‘opt out’ from the TRO, if for some reason they want to keep Coreflood running on their computers.”
U.S. Justice Department press release
Coreflood Complaint (PDF)
Coreflood Seizure Warrant (PDF)
Coreflood Temporary Restraining Order (PDF)