U.S. Wins Court Order to Seize Control of ‘Coreflood’ Botnet, Send Kill Signal
(WIRED) In an extraordinary intervention, the Justice Department has sought and won permission from a federal judge to seize control of a massive criminal botnet comprised of millions of private computers, and deliver a command to those computers to disable the malicious software.
The request, filed Tuesday under seal in the U.S. District Court in Connecticut, sought a temporary restraining order to allow the non-profit Internet Systems Consortium to swap out command-and-control servers that were communicating with machines infected with Coreflood — malicious software used by computer criminals to loot victims’ bank accounts.
According to the filing, ISC, under law enforcement supervision, planned to replace the servers with servers that it controlled, collect the IP addresses of all infected machines communicating with the criminal servers, and then send a remote “stop” command to infected machines to disable the Coreflood malware on the machines.
The takeover occurred Tuesday evening, though a Justice Department spokeswoman was unable to confirm whether the shutdown command had been sent yet to infected computers.
In conjunction with the move, the government planned to provide the IP addresses of infected computers to ISPs around the country to notify customers that they’re infected, and Microsoft planned to release an update to its free Malicious Software Removal Tool on Wednesday to remove Coreflood from infected computers.
According to the filing, Coreflood is designed to run whenever an infected computer is rebooted. Therefore the intervention software designed to disable Coreflood has to resend the disable command after every reboot, until the victim removes the malware from his system. The government assured the court, however, that this would cause no harm to computers.
“Based upon technical evaluation and testing, the Government assesses that the command sent to the Coreflood software to stop running will not cause any damage to the victim computers on which the Coreflood software is present, nor will it allow the Government to examine or copy the contents of the victim computers in any fashion,” the government asserts in its request.
The government also insisted in the request that neither the replacement servers nor the trap-and-trace device it would use to collect the IP addresses of infected machines would “acquire the content of any communications” on infected machines.
“Should the Government inadvertently acquire the content of any communication, it will destroy such communication upon recognition,” the government asserted.
In her decision granting the restraining order U.S. District Judge Vanessa Byrant wrote that, “Allowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and an increased risk of further computer intrusions.”
According to the government, this is the first case in the U.S. in which authorities have swapped out criminal servers for government servers in order to intercept communications between infected systems and the servers controlling them. The court filing notes that Dutch law enforcement used the same approach last year in order to disable the Bredolab botnet. In that case, Dutch authorities remotely installed and executed a program on infected machines to notify users that their systems were infected.
“These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the internet more secure,” said Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, in a press release.
Coreflood has been around for nearly a decade infecting machines and is designed to log keystrokes to harvest usernames and passwords as well as financial information in order steal funds.
According to the government, between March 2009 and January 2010, one Coreflood command and control server held about 190 gigabytes of data stolen from more than 400,000 victim computers. The server controlled more than 2 million machines.
The botnet allowed criminals to loot $115,000 from the account of a real estate company in Michigan, according to the filing, as well as $78,000 from a South Carolina law firm.