Feeds

Feds commandeer botnet, issue 'stop' command

Notorious Coreflood gets dose of own medicine

Choosing a cloud hosting partner with confidence

For the first time ever, the US government has attempted to take down a botnet by setting up a substitute control channel that temporarily disables the underlying malware running on hundreds of thousands of infected end user computers.

The move, announced Wednesday after federal prosecutors seized domain names, IP addresses and servers operated by the operators, is intended to cut the head off a notorious botnet known as Coreflood, which has infected more than 2 million Windows machines since 2002. During and 11-month period starting in March 2009, Coreflood siphoned some 190 GB worth of banking passwords and other sensitive data from more than 413,000 infected users as they browsed the net, authorities said.

In a step never before taken in the US, federal prosecutors have obtained a court order allowing them to set up a substitute command and control server that will direct infected machines to temporarily stop running the underlying malware. The substitute instructions will have to be issued continuously for the foreseeable future because infected machines are automatically programmed to be reload Coreflood each time they are restarted.

“Issuing the stop command to the Coreflood software will further limit the ability of the operators of the botnet to regain control of the botnet through a variety of illegal means,” prosecutors wrote in a motion filed Tuesday for a court order to take over the C&C server. “Indeed, failure to issue the stop command will increase the likelihood that the operators of the botnet will be able to successfully regain control of some part of their illicit network.”

Prosecutors also obtained an order to log the IP addresses of all computers that report to the substitute C&C server. The government attorneys will then work with the underlying ISPs to track down each end user so he can be informed of the infection and be instructed how to use various antivirus products to disinfect the compromised machine.

According to the court filing, no US law enforcement authority has ever sought court permission to control a seized botnet using a substitute C&C server. Dutch officials took a similar approach last year when they beheaded the Bredolab botnet, another network of infected machines used to steal vast amounts of financial information from its victims.

The novel legal move came in a lawsuit prosecutors filed against 13 Coreflood operators named only as John Does because their true identities are unknown. It accuses them of engaging in wire fraud, bank fraud and illegal interception of electronic communications. The complaint and accompanying motions weren't unsealed until Wednesday, when the temporary restraining order they requested was granted.

The order gives the feds control over two IP addresses (207.210.74.74 and 74.63.232.233) and 29 domain names used to run the Coreflood C&C server. It also grants feds authority to use a “trap and trace” device to capture the IP addresses of the compromised computers.

The motions recited a litany of invasions into the online comings and goings of those infected by the Coreflood malware. They included an unnamed defense contractor in Tennessee. After obtaining the online credentials from the firm's bank account, the operators managed to steal almost $242,000 from the firm after attempting to transfer more than $934,000. A North Carolina investment company lost more than $151,000.

According to security researcher Joe Stewart of Secure Works, Coreflood started out as platform for launching DDoS, or distributed denial-of-service, attacks, but soon moved on to financial crime. Eventually, the botnet was able to compromise accounts even when they used two-factor authentication schemes such as those that rely on a physical token that generates one-time passwords.

It's impossible to know exactly how many victims have been claimed by Coreflood, because machines are constantly being infected, disinfected, and in some cases, reinfected. While investigators counted 413,710 infected machines from March 2009 to January 2010, the total number of machines that were, or had been, part of Coreflood is more than 2.3 million, with more than 1.8 million of them appearing to be located in the US.

The substitute C&C will be operated by the non-profit Internet System Consortium, with additional assistance coming from Microsoft.

PDFs of the government's complaint and TRO motion are here and here. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
State Dept shuts off unclassified email after hack. Classified mail? That's CLASSIFIED
Classified systems 'not affected' - but, is this reconnaissance?
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.