Feeds

Feds commandeer botnet, issue 'stop' command

Notorious Coreflood gets dose of own medicine

Providing a secure and efficient Helpdesk

For the first time ever, the US government has attempted to take down a botnet by setting up a substitute control channel that temporarily disables the underlying malware running on hundreds of thousands of infected end user computers.

The move, announced Wednesday after federal prosecutors seized domain names, IP addresses and servers operated by the operators, is intended to cut the head off a notorious botnet known as Coreflood, which has infected more than 2 million Windows machines since 2002. During and 11-month period starting in March 2009, Coreflood siphoned some 190 GB worth of banking passwords and other sensitive data from more than 413,000 infected users as they browsed the net, authorities said.

In a step never before taken in the US, federal prosecutors have obtained a court order allowing them to set up a substitute command and control server that will direct infected machines to temporarily stop running the underlying malware. The substitute instructions will have to be issued continuously for the foreseeable future because infected machines are automatically programmed to be reload Coreflood each time they are restarted.

“Issuing the stop command to the Coreflood software will further limit the ability of the operators of the botnet to regain control of the botnet through a variety of illegal means,” prosecutors wrote in a motion filed Tuesday for a court order to take over the C&C server. “Indeed, failure to issue the stop command will increase the likelihood that the operators of the botnet will be able to successfully regain control of some part of their illicit network.”

Prosecutors also obtained an order to log the IP addresses of all computers that report to the substitute C&C server. The government attorneys will then work with the underlying ISPs to track down each end user so he can be informed of the infection and be instructed how to use various antivirus products to disinfect the compromised machine.

According to the court filing, no US law enforcement authority has ever sought court permission to control a seized botnet using a substitute C&C server. Dutch officials took a similar approach last year when they beheaded the Bredolab botnet, another network of infected machines used to steal vast amounts of financial information from its victims.

The novel legal move came in a lawsuit prosecutors filed against 13 Coreflood operators named only as John Does because their true identities are unknown. It accuses them of engaging in wire fraud, bank fraud and illegal interception of electronic communications. The complaint and accompanying motions weren't unsealed until Wednesday, when the temporary restraining order they requested was granted.

The order gives the feds control over two IP addresses (207.210.74.74 and 74.63.232.233) and 29 domain names used to run the Coreflood C&C server. It also grants feds authority to use a “trap and trace” device to capture the IP addresses of the compromised computers.

The motions recited a litany of invasions into the online comings and goings of those infected by the Coreflood malware. They included an unnamed defense contractor in Tennessee. After obtaining the online credentials from the firm's bank account, the operators managed to steal almost $242,000 from the firm after attempting to transfer more than $934,000. A North Carolina investment company lost more than $151,000.

According to security researcher Joe Stewart of Secure Works, Coreflood started out as platform for launching DDoS, or distributed denial-of-service, attacks, but soon moved on to financial crime. Eventually, the botnet was able to compromise accounts even when they used two-factor authentication schemes such as those that rely on a physical token that generates one-time passwords.

It's impossible to know exactly how many victims have been claimed by Coreflood, because machines are constantly being infected, disinfected, and in some cases, reinfected. While investigators counted 413,710 infected machines from March 2009 to January 2010, the total number of machines that were, or had been, part of Coreflood is more than 2.3 million, with more than 1.8 million of them appearing to be located in the US.

The substitute C&C will be operated by the non-profit Internet System Consortium, with additional assistance coming from Microsoft.

PDFs of the government's complaint and TRO motion are here and here. ®

New hybrid storage solutions

More from The Register

next story
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.