Feeds

Feds commandeer botnet, issue 'stop' command

Notorious Coreflood gets dose of own medicine

Using blade systems to cut costs and sharpen efficiencies

For the first time ever, the US government has attempted to take down a botnet by setting up a substitute control channel that temporarily disables the underlying malware running on hundreds of thousands of infected end user computers.

The move, announced Wednesday after federal prosecutors seized domain names, IP addresses and servers operated by the operators, is intended to cut the head off a notorious botnet known as Coreflood, which has infected more than 2 million Windows machines since 2002. During and 11-month period starting in March 2009, Coreflood siphoned some 190 GB worth of banking passwords and other sensitive data from more than 413,000 infected users as they browsed the net, authorities said.

In a step never before taken in the US, federal prosecutors have obtained a court order allowing them to set up a substitute command and control server that will direct infected machines to temporarily stop running the underlying malware. The substitute instructions will have to be issued continuously for the foreseeable future because infected machines are automatically programmed to be reload Coreflood each time they are restarted.

“Issuing the stop command to the Coreflood software will further limit the ability of the operators of the botnet to regain control of the botnet through a variety of illegal means,” prosecutors wrote in a motion filed Tuesday for a court order to take over the C&C server. “Indeed, failure to issue the stop command will increase the likelihood that the operators of the botnet will be able to successfully regain control of some part of their illicit network.”

Prosecutors also obtained an order to log the IP addresses of all computers that report to the substitute C&C server. The government attorneys will then work with the underlying ISPs to track down each end user so he can be informed of the infection and be instructed how to use various antivirus products to disinfect the compromised machine.

According to the court filing, no US law enforcement authority has ever sought court permission to control a seized botnet using a substitute C&C server. Dutch officials took a similar approach last year when they beheaded the Bredolab botnet, another network of infected machines used to steal vast amounts of financial information from its victims.

The novel legal move came in a lawsuit prosecutors filed against 13 Coreflood operators named only as John Does because their true identities are unknown. It accuses them of engaging in wire fraud, bank fraud and illegal interception of electronic communications. The complaint and accompanying motions weren't unsealed until Wednesday, when the temporary restraining order they requested was granted.

The order gives the feds control over two IP addresses (207.210.74.74 and 74.63.232.233) and 29 domain names used to run the Coreflood C&C server. It also grants feds authority to use a “trap and trace” device to capture the IP addresses of the compromised computers.

The motions recited a litany of invasions into the online comings and goings of those infected by the Coreflood malware. They included an unnamed defense contractor in Tennessee. After obtaining the online credentials from the firm's bank account, the operators managed to steal almost $242,000 from the firm after attempting to transfer more than $934,000. A North Carolina investment company lost more than $151,000.

According to security researcher Joe Stewart of Secure Works, Coreflood started out as platform for launching DDoS, or distributed denial-of-service, attacks, but soon moved on to financial crime. Eventually, the botnet was able to compromise accounts even when they used two-factor authentication schemes such as those that rely on a physical token that generates one-time passwords.

It's impossible to know exactly how many victims have been claimed by Coreflood, because machines are constantly being infected, disinfected, and in some cases, reinfected. While investigators counted 413,710 infected machines from March 2009 to January 2010, the total number of machines that were, or had been, part of Coreflood is more than 2.3 million, with more than 1.8 million of them appearing to be located in the US.

The substitute C&C will be operated by the non-profit Internet System Consortium, with additional assistance coming from Microsoft.

PDFs of the government's complaint and TRO motion are here and here. ®

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.