Security Experts:

Another One Bites The Dust: Authorities Takedown Coreflood Botnet

Following the successful takedown of the Bredolab and Rustock botnets in November 2010 and March 2011, respectively, authorities have fired shots at another botnet.

The botnet, know as “Coreflood,” is believed to have been operating for nearly a decade and to have infected more than two million computers globally throughout its existence.

The Department of Justice and FBI on Tuesday announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order as part of what it says is the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.

After installing itself by exploiting a vulnerability on computers running Windows, Coreflood steals private personal and financial information from unsuspecting victims, including users on corporate computer networks, and using that information to steal funds.

In the enforcement actions announced on Tuesday, the DOJ and FBI shared some of their success:

• Five Command & Control Servers that remotely controlled hundreds of thousands of infected computers were seized.

• 29 domain names used by the Coreflood botnet to communicate with Command & Control servers were seized.

• Authorities replaced the Command & Control servers with other “good” servers to prevent Coreflood from causing further damage to infected computers and other third parties.

Additionally, U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications. In addition, search warrants were obtained for computer servers throughout the country.

In a move that hasn’t been done before as far as we know, the government was able to obtain a temporary restraining order (TRO), giving it the ability to communicate with infected computers in the United States in order to stop the Coreflood malware from running, essentially remotely disinfecting it.

Following the issuance of the temporary restraining order, the Department of Justice and the FBI, working with Internet service providers around the country, is working to identify victims who have been infected with Coreflood. Identified owners of infected computers will also be told how to “opt out” from the remote disinfection, if they really feel that they want to keep Coreflood running on their systems. The Department of Justice said law enforcement authorities will NOT be able access any information stored on an infected systems.

Dutch authorities took a different approach during the takedown of the Mariposa botnet, and didn’t give victims the opportunity to “opt out” from the remote disinfection. According to Derek Manky, a threat researcher from Fortinet, “Dutch authorities forcibly sent ‘goodware’ and sent an executable to update infected machines.”

Dave Marcus, McAfee Labs research and communications director, believes the group behind coreflood had been quite successful in their efforts over the years. “It appears the cybercriminals behind Coreflood were able to turn the botnet into a money making machine,” Marcus said. “It is hard to estimate the actual loot, but the criminals likely made tens of millions of dollars, based on the estimates in the complaint filed by the Department of Justice. It is not outside of the realm of possibility that they netted more than US$100 million."

The Department of Justice noted that while the enforcement action completely disabled the existing Coreflood botnet by seizing control from the criminals who ran it, this does not mean that Coreflood malware or similar forms of malware have been removed from the Internet entirely. Nor does it mean that criminals will not attempt to build another botnet using a different version of the Coreflood malware or other malware.

The law enforcement actions are the result of an ongoing criminal investigation by the FBI’s New Haven Division, in coordination with the U.S. Marshals Service with assistance provided by Microsoft, the Internet Systems Consortium and other private industry partners.

“We commend the FBI and DOJ for their action against the Coreflood botnet,” Richard Boscovich, Senior Attorney, Microsoft Digital Crimes Unit told SecurityWeek. “There is clearly a strong public/private momentum happening in the fight against botnets and the Microsoft Digital Crimes Unit was happy to provide technical information from the lessons we learned from the recent Rustock and Waledac botnet takedowns to assist these agencies in their operation.”

view counter
For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.