April 14, 2011

The U.S. Justice Department and the FBI were granted unprecedented authority this week to seize control over a criminal botnet that enslaved millions of computers and to use that power to disable the malicious software on infected PCs.

Sample network diagram of Coreflood, Source:FBI

Sample network diagram of Coreflood, Source:FBI

The target of the takedown was “Coreflood,” an infamous botnet that emerged almost a decade ago as a high-powered virtual weapon designed to knock targeted Web sites offline. Over the years, the crooks running the botnet began to use it to defraud owners of the victim PCs by stealing bank account information and draining balances.

Coreflood has morphed into a menacing crime machine since its emergence in 2002. As I noted in a 2008 story for The Washington Post, this is the same botnet that was used to steal more than $90,000 from Joe Lopez in 2005, kicking off the first of many high profile lawsuits that would be brought against banks by victims of commercial account takeovers. According to the Justice Department, Coreflood also was implicated in the theft of $241,866 from a defense contractor in Tennessee; $115,771 from a real estate company in Michigan; and $151,201 from an investment firm in North Carolina.

By 2008, Coreflood had infected some 378,000 PCs, including computers at hospitals and government agencies. According to research done by Joe Stewart, senior malware researcher for Dell SecureWorks, the thieves in charge of Coreflood had stolen more than 500 gigabytes of banking credentials and other sensitive data, enough data to fill 500 pickup trucks if printed on paper.

On April 11, 2011, the U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 unknown (“John Doe”) defendants responsible for running Coreflood, and was granted authority to seize 29 domain names used to control the daily operations of the botnet. The government also was awarded a temporary restraining order (TRO) allowing it to send individual PCs infected with Coreflood a command telling the machines to stop the bot software from running.

The government was able to do this because it also won the right to have the Coreflood control servers redirected to networks run by the nonprofit Internet Systems Consortium (ISC). When bots reported to the control servers – as they were programmed to do periodically – the ISC servers would reply with commands telling the bot program to quit.

ISC President Barry Greene said the government was wary of removing the bot software from infected machines.

“They didn’t want to do the uninstall, just exit,” Greene said. “Baby steps. But this was significant for the DOJ to be able to do this. People have been saying we should be able to do this for a long time, and nobody has done what we’re doing until now.”

No U.S. law enforcement authority has ever sought to commandeer a botnet using such an approach. Last year, Dutch authorities took down the Bredolab botnet using a similar method that directed affected users to a Web page warning of the infection. Last month, Microsoft took down the Rustock spam botnet by convincing a court to grant it control over both the botnet’s control domains and the hard drives used by those control servers.

Andrew Fried, a botnet expert who runs Deteque, a security consultancy in Alexandria, Va., said the action was a long time coming, but he applauded the feds for making it happen. “We finally saw exactly how effective law enforcement and our judicial system can be when they attack problems using strategic rather than political methods,” Fried said.

Greene said the job now falls to ISPs, security firms, and Microsoft to help clean up the pool of PCs that remain infected with Coreflood. Microsoft this week shipped an update to remove Coreflood from Windows machines of users who take advantage of  the Malicious Software Removal Tool, an anti-malware tool offered through Windows Updates and Automatic Update that looks for and removes many families of infectious software.

Some readers may be alarmed by this news because they are wary of any government actions that involve access to individual computers. Wired.com’s Kim Zetter writes that the Electronic Frontier Foundation is uneasy with the government’s move, which called it “an extremely sketchy action to take.” However, as noted cybercrime expert Gary Warner points out in his blog, the government is offering computer users affected by the this week’s takedown the option to “opt out” of the terms of the temporary restraining order.

“The Department of Justice and FBI, working with Internet service providers around the country, are committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood,” the FBI’s press release states. “Identified owners of infected computers will also be told how to ‘opt out’ from the TRO, if for some reason they want to keep Coreflood running on their computers.

U.S. Justice Department press release

Coreflood Complaint (PDF)

Coreflood Seizure Warrant (PDF)

Coreflood Temporary Restraining Order (PDF)

28 thoughts on “U.S. Government Takes Down Coreflood Botnet

  1. RJ

    Force windows update on computers, force run of malicious software removal, ???, profit.

    1. Al Mac

      Easier said than done.

      Some computer systems are not (supposed to be) connected to the Internet, are on OS versions no longer supported by their vendors.

      Microsoft Automatic Update is no longer working for me … it was supposed to run for Tuesday’s critical updates.

      Then when I tried to run Microsoft Update manually, it invited me to install Microsoft Update, even though it is already on my PC. I guess I will go that route, see what happens.

      Belarc Adviser confirms, I am missing Microsoft Critical updates.

      My AV etc. cannot find anything wrong.
      Qualsys warns me about Adobe … I have been avoiding Adobe PDF since Brian warning came out, using alternative PDF like Primo-Nero … avoiding Adobe Flash is more difficult, but hopefully my Fire Fox No Script provides some protection.

      1. Al Mac

        Patching and updates is a continuing hassle, but goes more smoothly nowadays than a few years ago.

        Automatic Deal has been broken longer than I realized. I just got a dozen critical security Microsoft updates installed on my XP machine.

        Thanks to Brian article about Qualsys Browser Check, I installed it, am using it, have it on my tool bar as a reminder to use it regularly.

        Installing that reminded me to check Belarc Advisor
        to tell me if the stuff on my PC has all the latest patches & updates … well my PC is now in much better shape than an hour or so ago. But Belarc identifies two important updates still missing, provides links to get them from Microsoft, which fail because Fire Fox is my browser.

        I also have Google Desktop, which lets me search the stuff on my PC like I would search the Internet. I suspect there is a conflict between GD indexing my most recent additions and BA doing ditto.

      2. RJ

        I was referring to the infected machines in the Coreflood botnet. Get MS to craft a package of updates & malware removal tool. Using the C&C, download, install, reboot and all is well in the world.

        Lets face it, these computers are a liability to everyone on the internet. And even with the remote possibility of the forced update breaking a few computers the net positive effect is too much to worry about a few already broken computers breaking for good.

        1. RJ

          Oooh look how down voted this is.

          Lots of botnet owners must frequent this blog :).

  2. SiL

    I for one think this could be a mostly positive, pivotal moment in the fight against rampant Windows OS malware.

    The fact of the matter is this: many if not most owners and operators of computers are not well-versed in anything to do with computers or computer-related security. Most computer users will use whatever that computer comes with, and in the case of Windows PC’s that means Internet Explorer. Most Windows users never run Windows Update, and many of them either ignore or cancel the prompts to update their computer’s operating system. They simply don’t understand the importance of these systems.

    Add to that that many if not most Internet users will click on any link they receive in an email. We have seen countless examples of this over many, many years. This leads to people becoming ensnared in Nigerian scams, having their money siphoned out of their bank accounts by trojans and keyloggers, having their most basic, everyday accounts compromised by phishing attacks and of course becoming badly infected by at least one but usually several pieces of malware, then wondering why their computers are not functioning efficiently. This is not new. This has been going on for years.

    All attempts to educate the end-user have failed, and botnets remain a serious concern, often numbering in hundreds of thousands of infected PC’s. (Certainly the numbers in this takedown bear this out, as did that of Rustock.)

    If it takes the FBI and the US Government (plus Microsoft, whose OS is the affected property after all) then so be it. Clearly not a single other thing has been effective at shutting down this ongoing criminal activity.

    SiL / IKS / concerned citizen

    1. Neej

      Your post is not well thought out and doesn’t reflect reality.

      Firstly you apparently haven’t been looking at browser market share lately.

      Secondly since you are referring to “clueless computer users” why would they ever run Windows Update when it’s default is to run automatically (and they couldn’t cancel anything in this case anyway)

      Thirdly social engineering attacks have been effective against not only “clueless users” but also computer security experts as a number of incidents have shown.

      I suggest you lay off the analysis as you appear to be merely parroting mainstream hype which is itself written by “clueless users”. Guess what that makes you look like?

  3. Omer Bauer

    Why would anybody not want to remove this from thier computer
    unles it profits them somehow……or they really want to hide something else?

    1. Datz

      Exactly my thought.

      “Identified owners of infected computers will also be told how to ‘opt out’ from the TRO, if for some reason they want to keep Coreflood running on their computers.”

      Why would anyone in their right minds insist on keeping some thing know to be malicious. Or have Americans become more cautious/scared that even the authorities have to pussy foot around hard facts?

      1. DavidM

        I don’t believe people would want to keep this little rootki on their computers, most would be glad to have any help tpo remove a rootkit as they are very tricky to get rid of without some professional hel other than wiping your drive clean and re-installing a clean O/S install…I think its more to the fact their are some people who take a strong rebuke to having Big Brother look at anything that is out side of the scope they are accustomed too.

        That being said I would say if they don’t want to have their mahcnie cleaned and wan’t to take it somewhere and have a professional do so, well so be it, but they should also have to let their ISP know when they have done so befofre they let that particualr computer and IP adress back on their network to ensure that an infected machine is not back to any malicious behaviour.

        In a situationlike this your always going to have those that are willing to have the help, and those who are going to rebuke the help… you will never make everyone happy, but people have the option to take the help or not…I sure wouldn’t want to have to worry about whether I can go online to purchase or pay some bill or something without having my information sent to some country where it is up for sale or going to be used to empty the kitty at the bank…but people will do what they think is in their best intrest…

    2. AlphaCentauri

      There are researchers running “honeypots,” i.e., computers that are allowed to become infected with malware in order to record what they do and who they contact. That’s how the government knew which domains and C&C servers to seize to take down this botnet, for instance.

      The DOJ probably already knows most of the researchers running them, of course. The more important issue is to make sure there are no unexpected consequences that generate the type of negative publicity (or court precedents) that would prevent them doing the same type of takedown with other botnets in the future.

  4. JimE

    Brian, great article. I knew you and the FBI would hit it off. Just watch out for that guy with the hocky mask. Hmmm, I wonder if he’s into hackin’ systems now instead of his dinner guests!

  5. JimV

    Since it seems the critical servers that were infected were all physically in the US and taken down at the source(s) by the DOJ/FBI action following court approval, if the court had not been sufficiently convinced of the legal basis for such an action we would all still be at some risk from the botnet’s existence.

    It’s good news IMHO, but probably means that other botnet herders will make efforts toward a broader international distribution of their herd in order to make unilateral action(s) like this in the future a lot more difficult. Coordination among governments and ISPs across multiple international jurisdictions where the infected servers might be located isn’t impossible, but does add complexity to the process. It also gives more of a chance for the herder(s) to get advance hints that a takedown might be impending, offerring them a greater opportunity to shift operational parameters or server locations and avoid a complete takedown. Still, one step (botnet) at a time…

    1. DavidM

      Still, one step (botnet) at a time…

      totally agree…. I think that the last MS coalition takedown and this one of Corefllod could be the best way to hurt these guys and put them out of buisness for a while and hit them in the walllet…I would still like to see the folks from some hosts/ASNs/registrars, to do their job and that’s enforce their AUP/ToS and take action against those who constanatly abuse the system. The other issue I see is that there is so much corruption of some goverment agencies in places like Russia for instance that know they have a large cybercrime community working there that, if a goverment from another country tries to get help in a cybercrime investigation that it goes no where, or when it does the punishment is so weak
      * cough cough payoff cough * that the crooks running these scams just add it as a cost of doing buisness, till there is some real co-operation between goverments and those involved in enitites that help run aspects of the net ( ie: hosts/ASNs/registrars,providers etc) and they take enforcement seriously we will be in the fight for years to come

  6. mrmikel

    I think the best analogy to this is a public health one, like the Typhoid Mary case. These computers are dangers to public computer health.

    If there are things on one’s computer which are private then encrypt the drive or create a Linux partition and store them in an entirely different filesystem inaccessible from Windows.

    Otherwise we let the bad guys continue to make the Internet completely lawless. It is matter not of extremes but of deciding just how much freedom should be limited. It is not a choice between no freedom and freedom to do as you please regardless of how it damages everyone else.

  7. Tracy Dryden

    REALLY??? The EFF thinks the government’s action is “extremely sketchy”? Exactly what was sketchy about it? They took control over computers being used for criminal purposes (perfectly legal). They didn’t infect or invade the users’ computers – they were already infected. They didn’t even SEND a command to the computers. The computers themselves ASKED what to do next. All they did was tell the bot program to shut down instead of sending bank account numbers and passwords. And the EFF has a problem with that? What kind of idiots are running that place these days? I think the governments actions are to be praised.

    1. Silemess

      The EFF’s concern is that this establishes a precedent that the government can send commands to private computers.

      Tracy, as you note, the computers did send out a request for commands from a server. But the government did send a command back, telling the program to quit.

      The EFF doesn’t have a problem that people were being a protected. Disabling a botnet is a praise worthy action. But if the EFF doesn’t mention their concerns on this case, then it may seem that they condone any actions taken against botnets. With the fear being that the next time, an individual’s computer may be more impacted by the government action than by that of the virus. They’re mentioning their concerns now so as to be able to act later, in case this is the beginning of a slippery slope.

    2. Nick P

      I agree that this was a positive thing that happened and EFF should give them credit for properly using their powers to protect the good. But Silemess is probably right on about EFF’s concern about setting a precedent. I’ll add to that: this was a court matter and can set a legal precedent to be used in future cases that ask for more power.

      Lawyers are well-known for taking precedents from previous cases and applying them to unrelated cases with questionable arguments, then the judge swallows the BS for some reason. Many innocent individuals and companies have suffered losses in court because precedents were stretched too far. EFF’s policy, official or unspoken, is to prevent any act that sets such precedents that give the government more control over cyberspace.

      They are just playing it extra safe when dealing with assumption of new power by federal government. If history is any indicator, the government will eventually abuse its power and expand its influence. Fighting off every potential advance in cyberspace might be the smartest move for an organization promoting e-liberty.

  8. Maureen

    While I’m glad that the government took action and I can’t imagine opting out, I’m also glad there are people who find it “sketchy” and make enough noise to keep individuals in the government honest. The “opt out” is a smart preemptive move on the DOJ’s part to lessen the outcry.

  9. DLD

    As one of Meg Ryan’s characters once said: “yes, Yes, YESSSS!”

  10. анбиливбл

    As one of Volochkova characters once said “Potceluy menya v pachku”

  11. Tone tone

    I might be just paranoid but it seems like anytime the government has a “take down” like this my internet at home goes down. Does anyone know of a site I can get some information on how to check to see if a computer is infected with a bot? Im not computer illiterate but im definitely not a computer genius so any info will be much appreciated.

    1. AlphaCentauri

      Try spywarehammer.com or bleepingcomputer.com. Read all the instructions on the website first. Remember they’re all volunteer experts helping people in their free time, so be patient. Do what they tell you to do, when they tell you to do it, in order.

      1. TJ

        WTF? Why would anyone vote AlphaCentauri’s comment down (unless of course you run a botnet)?

  12. MrUnFixit-Maybe

    Coreflood has been out for about a decade and Microsoft decide to add it to their anti-malware signatures NOW? The Sony rootkit takedown only took a few weeks to be added. Is there something that is not being publicised here?

  13. David

    As Mr. Fried said – “We finally saw exactly how effective law enforcement and our judicial system can be when they attack problems using strategic rather than political methods” – basically, what he said was – “We can see what can be done when you AT LAST DO SOMETHING!”

    Very good job here, government!


Comments are closed.