IT Security: USA's FBI blocks Coreflood botnet

On 13th April, the FBI acted on the evidence it has been able to gather after the virus came to its attention and sought and was immediately granted warrants to enter premises and seize computers that controlled the virus.

But the threat is not over: although the FBI says that it has disrupted the operation of Coreflood and will therefore prevent the servers sending information onto those who developed the program, it does not say how much data has already been transmitted. And the estimated two million PCs that have been affected still host the malware.

Coreflood was hosted on just five servers. So far, the FBI has not said whether that malware has the ability to change the destination of information if the primary servers are off-line. In the past, this technique has been implemented by criminal gangs looking to steal all manner of information from users.

The most valuable information is, of course, payment information entered into on-line shopping sites and access data for bank and other financial accounts. But, also, access codes for on-line e-mail accounts provide address-harvesters with rich pickings if they go into accounts and download the user's entire address book.

The FBI released information to reputable anti-virus companies who are working to improve both their AV detection and firewall security; Microsoft is also preparing updates for those Windows Operating System products which it still supports.

The FBI says "Victimised computers that have not been disinfected using anti-virus software updates will continue to attempt to contact the Coreflood botnet servers. When this happens, we will respond by issuing a temporary stop command to the virus and then alert that user's Internet service provider (ISP), who will inform the customer that their computer is still infected. At no time will we be collecting any personal data from victim computers."

But a significant question remains: the FBI says "We began our Coreflood investigation in April 2009 when a Connecticut-based company realised that hundreds of computers on its networks had been infected. Before we shut down the Coreflood operation, cyber thieves made numerous fraudulent wire transfers, costing companies hundreds of thousands of dollars." It seems, therefore, as if the virus has been allowed to continue its work for some two years while evidence was built.

13 "John Doe" defendants are the subject of civil proceedings alleging "wire fraud, bank fraud, and illegal interception of electronic communications" - this was the action in which the orders were obtained.

Search warrants were obtained for the command and control servers in Arizona, Georgia, Texas, Ohio, and California. And a seizure warrant was issued in Connecticut for 29 Internet domain names used by the thieves.

According to court filings, Coreflood is a particularly harmful type of malicious software that records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, known as a command and control (C & C) server. A computer infected by Coreflood and subject to remote control is referred to as a "bot," short for "robot." According to information contained in court filings, the group of all computers infected with Coreflood is known as the Coreflood botnet, which is believed to have been operating for nearly a decade and to have infected more than two million computers worldwide.

Coreflood steals usernames, passwords, and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user's bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.

The Order authorised the substitution of servers under the control of the FBI to intercept calls to the original server, therefore tricking the malware on user's servers into "thinking" that contact has been made.

The neat trick that the FBI has created in effect hacks the virus while it is resident on user's computers and still active.

The Coreflood malware on a victim's computer is programmed to request directions and commands from C & C servers on a routine basis. New versions of the malware are introduced using the C & C servers on a regular basis, in an effort to stay ahead of security software and other virus updates. If the C & C servers do not respond, the existing Coreflood malware continues to run on the victim's computer, collecting personal and financial information. The TRO authorises the government to respond to these requests from infected computers in the United States with a command that temporarily stops the malware from running on the infected computer. During that time, the defendants will not be able to introduce different versions of the Coreflood malware onto the infected computers. By limiting the defendants ability to control the botnet, computer security providers will be given time to update their virus signatures and malicious software removal tools so that all victims can have a reliable tool available to them that removes the latest version of the malware from an infected computer.

The FBI warns: "While this enforcement action completely disabled the existing Coreflood botnet by seizing control from the criminals who ran it, this does not mean that Coreflood malware or similar forms of malware have been removed from the Internet entirely. Nor does it mean that criminals will not attempt to build another botnet using a different version of the Coreflood malware or other malware."