2386623368_7c5a716928Remote removal of malware and other malicious software is not new. However, the FBI and Department of Justice set new precedent this week when they sent remote, unsolicited execution commands to kill Coreflood botnet programs running on individual users’ computers.

The Coreflood botnet is (perhaps, was?) a network of infected computers that were remotely controlled by hackers and included a keylogging software that would record keystrokes. The keylogging program allowed the hackers to steal passwords and financial information from the affected computers. One computer security expert called it “one of the longest running botnets haunting the dark recesses of the Internet.”  The Coreflood program is believed to have affected two million computers. While understandably difficult to estimate, one antivirus researcher put the amount Coreflood stole in the tens of millions, and it is not outside the realm of possibility that it stole more than $100 million. One South Carolina law firm lost $78,000 as a result of the Coreflood botnet.

This week, the Justice Department filed suit, under seal, against thirteen “John Doe” defendants in the District Court of Connecticut. The department sought a temporary restraining order and injunction, under 18 U.S.C. §§ 1345 & 2521, to “prevent the Defendants from using a botnet known as the ‘Coreflood Botnet’ to work a continuing and substantial injury on the owners and users of computers infected by Coreflood.” Authorities asked first for search warrants to seize Botnet’s “command and control” servers spread fairly evenly across the country—Arizona, Georgia, Texas, Ohio and California. The U.S. authorities then sought and received a “trap-and-trace” order, pursuant to 18 U.S.C. § 3123, that allowed the nonprofit Internet Systems Consortium, under law enforcement supervision, to replace the Coreflood servers with servers that it controlled. The new servers allowed law enforcement to collect the IP addresses of the affected computers that were still sending out beacons to the control servers. The authorities then sent out a precedent-setting “Stop” command to the affected computers trying to connect to the main servers, which disabled the Coreflood program from operating on their computers. However, the Coreflood program is designed to re-initiate every time the computer is rebooted, so a new disable command has to be sent after every reboot. The government plans to provide the IP addresses of the “zombie computers” to Internet Service Providers so that they can notify their customers that they are infected and take steps to permanently remove the program.

This is not the first time government officials have seized botnet control servers and sent out remote execution commands. Dutch officials used this strategy on the Bredolab botnet last year. However, this was the first time United States authorities have done so, and it was justified, according to District Judge Vanessa Bryant, because “[a]llowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and increased risk of further computer intrusions.”

Authorities assured the court that it had configured the replacement servers so that the “Stop” command would not cause any harm to the individual users’ computers. However, others are not convinced that authorities can be so sure, and note that authorties might “blow up some important machine.” Additionally, authorities promised that “[a]t no time will law enforcement authorities access any information that may be stored on an affected computer.” Guess we’ll take the folks at the “Good Samaritan” hacking department at their word.

Paul Russell

Image Source

Tagged with:

Comments are closed.