Feeds

Feds commandeer botnet, issue 'stop' command

Notorious Coreflood gets dose of own medicine

Website security in corporate America

For the first time ever, the US government has attempted to take down a botnet by setting up a substitute control channel that temporarily disables the underlying malware running on hundreds of thousands of infected end user computers.

The move, announced Wednesday after federal prosecutors seized domain names, IP addresses and servers operated by the operators, is intended to cut the head off a notorious botnet known as Coreflood, which has infected more than 2 million Windows machines since 2002. During and 11-month period starting in March 2009, Coreflood siphoned some 190 GB worth of banking passwords and other sensitive data from more than 413,000 infected users as they browsed the net, authorities said.

In a step never before taken in the US, federal prosecutors have obtained a court order allowing them to set up a substitute command and control server that will direct infected machines to temporarily stop running the underlying malware. The substitute instructions will have to be issued continuously for the foreseeable future because infected machines are automatically programmed to be reload Coreflood each time they are restarted.

“Issuing the stop command to the Coreflood software will further limit the ability of the operators of the botnet to regain control of the botnet through a variety of illegal means,” prosecutors wrote in a motion filed Tuesday for a court order to take over the C&C server. “Indeed, failure to issue the stop command will increase the likelihood that the operators of the botnet will be able to successfully regain control of some part of their illicit network.”

Prosecutors also obtained an order to log the IP addresses of all computers that report to the substitute C&C server. The government attorneys will then work with the underlying ISPs to track down each end user so he can be informed of the infection and be instructed how to use various antivirus products to disinfect the compromised machine.

According to the court filing, no US law enforcement authority has ever sought court permission to control a seized botnet using a substitute C&C server. Dutch officials took a similar approach last year when they beheaded the Bredolab botnet, another network of infected machines used to steal vast amounts of financial information from its victims.

The novel legal move came in a lawsuit prosecutors filed against 13 Coreflood operators named only as John Does because their true identities are unknown. It accuses them of engaging in wire fraud, bank fraud and illegal interception of electronic communications. The complaint and accompanying motions weren't unsealed until Wednesday, when the temporary restraining order they requested was granted.

The order gives the feds control over two IP addresses (207.210.74.74 and 74.63.232.233) and 29 domain names used to run the Coreflood C&C server. It also grants feds authority to use a “trap and trace” device to capture the IP addresses of the compromised computers.

The motions recited a litany of invasions into the online comings and goings of those infected by the Coreflood malware. They included an unnamed defense contractor in Tennessee. After obtaining the online credentials from the firm's bank account, the operators managed to steal almost $242,000 from the firm after attempting to transfer more than $934,000. A North Carolina investment company lost more than $151,000.

According to security researcher Joe Stewart of Secure Works, Coreflood started out as platform for launching DDoS, or distributed denial-of-service, attacks, but soon moved on to financial crime. Eventually, the botnet was able to compromise accounts even when they used two-factor authentication schemes such as those that rely on a physical token that generates one-time passwords.

It's impossible to know exactly how many victims have been claimed by Coreflood, because machines are constantly being infected, disinfected, and in some cases, reinfected. While investigators counted 413,710 infected machines from March 2009 to January 2010, the total number of machines that were, or had been, part of Coreflood is more than 2.3 million, with more than 1.8 million of them appearing to be located in the US.

The substitute C&C will be operated by the non-profit Internet System Consortium, with additional assistance coming from Microsoft.

PDFs of the government's complaint and TRO motion are here and here. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Critical Adobe Reader and Acrobat patches FINALLY make it out
Eight vulns healed, including XSS and DoS paths
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Blood-crazed Microsoft axes Trustworthy Computing Group
Security be not a dirty word, me Satya. But crevice, bigod...
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.