Coreflood Takedown Raises Questions About Offensive Actions Against Botnets

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:34:39


Coreflood For just about as long as there have been botnets, there’s been an ongoing discussion in the security and law-enforcement communities about the legality and ethics of taking proactive steps to disrupt the botnets’ operations and even to remove the bots from infected machines. Until very recently, those discussions have been theoretical, but now the government has asked a court for permission to clean millions of Coreflood bot-infected PCs, moving the questions from the realm of “what if” to “now what.”

The FBI and the U.S. Marshals Service recently took control of the Coreflood botnet, an operation that has become more and more common in recent months as both private companies and law enforcement agencies have taken it upon themselves to step in and start dismantling some of the more problematic botnets around the Web. The Coreflood takedown involved the FBI and Marshals taking over the command-and-control servers for Coreflood and preventing infected machines from attacking other PCs or taking other malicious actions.

Now, the Department of Justice has gotten a temporary injunction from a federal court in Connecticut to prevent the unidentified operators of the botnet from using the network for any malicious reason and enables the FBI to continue running the substitute C&C server. More interestingly, however, the government’s lawyers also said that they have sent a document to various U.S.-based ISPs that they can use to get permission from their end users to remove the Coreflood bot from their infected PCs.

“While the proposed preliminary injunction is in effect, the Government also expects to uninstall Coreflood from the computers of Identifiable Victims who provide written consent. The Government is not requesting explicit authorization from the Court to do so, because the written consent form obviates the need for such authorization. Nevertheless, in order to keep the Court fully apprised of all relevant facts, the Government respectfully advises the Court that the substitute server, or another similar server, will be configured to respond to command and control requests from infected computers by issuing instructions for Coreflood to uninstall itself, but only as to infected computers of Identifiable Victims who have provided written consent to do so,” the U.S. Attorneys involved in the case said in their supporting documents filed with the court.

Slideshow The Top Botnet Takedowns

“While the use of an ‘uninstall’ command to remove Coreflood cannot be considered a replacement for the use of properly configured and updated anti-virus software, removing Coreflood from infected computers will at least serve to eliminate a known threat to that victim’s privacy and financial security.”

While ISPs in the U.S. have been doing some forms of remediation for the customers for several years now, including notifying them of malware infections and in some cases helping them remove the offending program, the involvement of the FBI and Marshal’s Service in the notifications and takedown operation adds a new element to the mix.

And it also brings up some questions about how and how often the government and ISPs will use this method of remediation and what it means for users.

“It’s certainly a topic that’s been kicked around in the community for a long time and more people have looked at the ethics of it lately, which is good,” said Jose Nazario, senior manager of security research at Arbor Networks. “I imagine this is being looked at very closely by people at Justice and elsewhere. They did their homework and they got lucky this time.”

In the Coreflood case, the FBI took a careful, measured approach to dismantling the botnet. It first got legal permission to take over the C&C operations of Coreflood earlier this month, and the size and activity of the network began declining immediately. About two weeks later, the Justice lawayers went back to the courts asking for–and getting–an injunction against the botnet operators and informing the court of the bot-cleaning portion of the program.

This hybrid technical-legal approach to taking down botnets is in vogue right now and has been used effectively by Microsoft and other companies involved in anti-botnet operations lately. Microsoft specifically has been quite aggressive in going after botnets in the last six months or so, initiating takedowns of the Rustock and Waledac botnets. The company has even built a special department, the Microsoft Digital Crimes Unit, to help address botnets and other online crime problems.

As the legal thinking and technological tactics evolve over time, experts say that the responses to botnets will change as well.

“I’m not aware of any great consensus around this topic. This kind of thing isn’t well understood yet, I don’t think. There’s
going to be a range of what’s responsible and ethical to do. And I think
it will be fueled by outcomes. If there are some great tragedies and
someone went to uninstall a bot and blew away thousands of PCs somehow,
it’s a different story. That possibility is always there,” Nazario said.