FBI, DoJ Act to Block International Botnet

Decade-Old 'Coreflood' Said to Have Infected 2 Million Computers
FBI, DoJ Act to Block International Botnet
The Justice Department and FBI have taken what they characterize as the most complete and comprehensive action ever by American authorities to disable an international botnet known as Coreflood, which is believed to have been operating for nearly a decade and infected more than 2 million computers worldwide.

The U.S. attorney in Connecticut Wednesday filed a civil complaint against 13 John Doe defendants, alleging that they engaged in wire fraud, bank fraud and illegal interception of electronic communications. Authorities also seized five command and control servers that remotely controlled hundreds of thousands of infected computers as well as 29 domain names used by the Coreflood botnet to communicate with the control and command servers. The government said it replaced the illegal servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties.

"The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes," said U.S. Attorney David B. Fein said in a statement.

The government also obtained a temporary restraining order, authorizing the government to respond to signals sent from infected computers in the United States to stop the Coreflood software from running, which they contend would prevent further harm to hundreds of thousands of unsuspecting users of infected computers.

Authorities said Coreflood records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user's bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.

The Coreflood malware on a victim's computer is programmed to request directions and commands from command and control servers on a routine basis. New versions of the malware are introduced using the command and control servers on a regular basis, in an effort to stay ahead of security software and other virus updates. If the command and control servers do not respond, the existing Coreflood malware continues to run on the victim's computer, collecting personal and financial information.

The temporary restraining order authorizes the government to respond to these requests from infected computers in the United States with a command that temporarily stops the malware from running on the infected computer. During that time, the defendants will not be able to introduce different versions of the Coreflood malware onto the infected computers. Authorities explained that by limiting the defendants ability to control the botnet, computer security providers will be given time to update their virus signatures and malicious software removal tools so that all victims can have a reliable tool available to them that removes the latest version of the malware from an infected computer.

The Department of Justice and FBI said they worked with Internet service providers around the country, and will identify and notify as many victims as possible who have been infected with Coreflood to avoid or minimize future fraud losses and identity theft resulting from Coreflood. Authorities aid identified owners of infected computers will be told how to opt out from the temporary restraining order, if for some reason they want to keep Coreflood running on their computers. The government said law enforcement authorities will not access any information that may be stored on an infected computer.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.