The FBI has scrubbed some 19,000 PCs that were infected with the Coreflood bot malware, the agency told a federal court last week. The effort is part of an ongoing and unprecedented legal campaign to destroy one of the longest-running and most menacing online crime machines ever built.
In April, the Justice Department and the FBI were granted authority to seize control over Coreflood, a criminal botnet that enslaved millions of computers. On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut was granted authority to seize 29 domain names used to control the daily operations of the botnet, and to redirect traffic destined for the control servers to a substitute server that the FBI controlled. More significantly, the FBI was awarded a temporary restraining order allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.
In a declaration filed with the district court, FBI special agent Kenneth Keller said the bureau has issued approximately 19,000 uninstall commands to infected computers of two dozen identifiable victims in the United States. The FBI said it obtained written consent from all 24 victims, and that none reported any adverse or unintended consequences from the uninstall commands.
Keller said the FBI has directly notified hundreds of identifiable victims, and that it has provided information to approximately 25 of the largest Internet service providers in the United States, enabling them to notify their infected customers.
“The FBI has also provided information about infected computers to law enforcement agencies overseas,” Keller told the court. “While it has not been possible to notify the owner of every infected computer, due in part to the difficulty in identifying the computer owners and obtaining accurate contact information for them, the decline in the size of the Coreflood Botnet is likely attributable in large part to the success of the victim notification efforts.”
Keller said that the continued operation of the substitute server was no longer necessary to prevent the as-yet unidentified defendants from using the Coreflood botnet to commit further wire fraud and bank fraud, or to eavesdrop on victim PC communications.
“The continued operation of the substitute server is consuming considerable law enforcement resources, because the server is being closely monitored to ensure its proper operation,” Keller wrote. “Those resources can be better allocated to other law enforcement investigations, now that the decline in the size of the Coreflood Botnet has leveled off. Also, while the Coreflood software will begin to run on still-infected computers once the substitute server is taken out of operation, the seizure of the Coreflood domains will continue reasonably to prevent the Defendants from obtaining access to those computers or to data stolen from those computers.”
A copy of Keller’s declaration is available at this link (PDF).