DOJ Shuts Down Botnet, Disables Infected Systems

2011-04-14T11:06:17
ID THREATPOST:BAFF44F33304913271A1C1D9878BAA8C
Type threatpost
Reporter Paul Roberts
Modified 2013-04-17T16:34:45

Description

DOJ BotnetThe U.S. Department of Justice and the FBI said on Wednesday that they had taken actions to disable an international botnet of more than two million infected computers that was stealing corporate data including user names, passwords and financial information.

Thirteen unnamed “John Doe” defendents were charged in a civil complaint filed by the U.S. Attorney’s Office for the District of Connecticut and 29 domain names connected to the coreflood malware were seized in the raid, according to a statement from the U.S. Attorney for the District of Connecticut.

The botnet, which has been linked to a malicious program dubbed “coreflood” is believed to have been operated out of Russia and to have been active for close to a decade. In an twist, the Department of Justice said it had received a temporary restraining order (TRO) allowing it to disable the malware, dubbed “coreflood” on machines that attempt to communicate with the command and control servers.

The crackdown would be one of the largest actions taken by U.S. law enforcement against an international botnet. In the last year, there have been a number of similar botnet takedowns, though many have been led by private sector firms, notably Microsoft and FireEye, in conjunction with law enforcement and Internet service providers in the U.S. and elsewhere. This is the first known instance where authorities have taken the extra step of disabling the malware on infected hosts.

According to the U.S. Attorney, five botnet C & C servers were seized, as were 29 domain names used by the Coreflood botnet to communicate with the C & C servers. The government then replaced the illegal C & C servers with “substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties.” That involved issuing a command that “temporarily stops the malware from running on the infected computer.” Though the authorities did not disinfect the machines, the hope is that victims will update their antivirus and security software providers will develop tools for removing the coreflood malware from infected hosts.

The DOJ and FBI will work with Internet service providers to notify victims whose machines have been compromised with the coreflood malware. Owners will be told how to “opt out” and keep Creflood running if they so desire.

The DOJ action mirrors that of Dutch authorities in the crackdown on the Bredolab botnet in October. In that incident, the country’s High Tech Crime Team worked with the Dutch CERT and local ISPs to disable infected command and control servers. Infected computers were then redirected to a page that offered instructions for removing the Trojan.

The takedown involved a wide range of players from the private sector and law enforcement. They include the FBI’s New Haven Division, the U.S. Marshals Service, Microsoft, the Internet Systems Consortium (ISC) and other private industry partners.

The DOJ encouraged computer users to make sure they are running security and antivirus software and to keep it up to date.