Connect with us

Hi, what are you looking for?



Another One Bites The Dust: Authorities Takedown Coreflood Botnet

Following the successful takedown of the Bredolab and Rustock botnets in November 2010 and March 2011, respectively, authorities have fired shots at another botnet.

The botnet, know as “Coreflood,” is believed to have been operating for nearly a decade and to have infected more than two million computers globally throughout its existence.

Following the successful takedown of the Bredolab and Rustock botnets in November 2010 and March 2011, respectively, authorities have fired shots at another botnet.

The botnet, know as “Coreflood,” is believed to have been operating for nearly a decade and to have infected more than two million computers globally throughout its existence.

The Department of Justice and FBI on Tuesday announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order as part of what it says is the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.

After installing itself by exploiting a vulnerability on computers running Windows, Coreflood steals private personal and financial information from unsuspecting victims, including users on corporate computer networks, and using that information to steal funds.

In the enforcement actions announced on Tuesday, the DOJ and FBI shared some of their success:

• Five Command & Control Servers that remotely controlled hundreds of thousands of infected computers were seized.

• 29 domain names used by the Coreflood botnet to communicate with Command & Control servers were seized.

Advertisement. Scroll to continue reading.

• Authorities replaced the Command & Control servers with other “good” servers to prevent Coreflood from causing further damage to infected computers and other third parties.

Additionally, U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications. In addition, search warrants were obtained for computer servers throughout the country.

In a move that hasn’t been done before as far as we know, the government was able to obtain a temporary restraining order (TRO), giving it the ability to communicate with infected computers in the United States in order to stop the Coreflood malware from running, essentially remotely disinfecting it.

Following the issuance of the temporary restraining order, the Department of Justice and the FBI, working with Internet service providers around the country, is working to identify victims who have been infected with Coreflood. Identified owners of infected computers will also be told how to “opt out” from the remote disinfection, if they really feel that they want to keep Coreflood running on their systems. The Department of Justice said law enforcement authorities will NOT be able access any information stored on an infected systems.

Dutch authorities took a different approach during the takedown of the Mariposa botnet, and didn’t give victims the opportunity to “opt out” from the remote disinfection. According to Derek Manky, a threat researcher from Fortinet, “Dutch authorities forcibly sent ‘goodware’ and sent an executable to update infected machines.”

Dave Marcus, McAfee Labs research and communications director, believes the group behind coreflood had been quite successful in their efforts over the years. “It appears the cybercriminals behind Coreflood were able to turn the botnet into a money making machine,” Marcus said. “It is hard to estimate the actual loot, but the criminals likely made tens of millions of dollars, based on the estimates in the complaint filed by the Department of Justice. It is not outside of the realm of possibility that they netted more than US$100 million.”

The Department of Justice noted that while the enforcement action completely disabled the existing Coreflood botnet by seizing control from the criminals who ran it, this does not mean that Coreflood malware or similar forms of malware have been removed from the Internet entirely. Nor does it mean that criminals will not attempt to build another botnet using a different version of the Coreflood malware or other malware.

The law enforcement actions are the result of an ongoing criminal investigation by the FBI’s New Haven Division, in coordination with the U.S. Marshals Service with assistance provided by Microsoft, the Internet Systems Consortium and other private industry partners.

“We commend the FBI and DOJ for their action against the Coreflood botnet,” Richard Boscovich, Senior Attorney, Microsoft Digital Crimes Unit told SecurityWeek. “There is clearly a strong public/private momentum happening in the fight against botnets and the Microsoft Digital Crimes Unit was happy to provide technical information from the lessons we learned from the recent Rustock and Waledac botnet takedowns to assist these agencies in their operation.”

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...