Feds Claim Victory Over Coreflood Botnet

Federal authorities have declared victory over the Coreflood botnet and shut down the replacement server that the FBI used to issue commands to infected PCs.

Federal authorities have declared victory over the Coreflood botnet and shut down the replacement server that the FBI used to issue commands to infected PCs.

The move was the final step in the two-month "Operation Adeona," an attempt to cripple the botnet that originally controlled an estimated 2.3 million compromised computers.

In mid-April, the U.S. Department of Justice (DOJ) and FBI obtained an unprecedented restraining order that allowed them to seize command-and-control (C&C) servers that managed the Coreflood botnet and replace them with a government-controlled system.

The court order also allowed the DOJ and FBI to issue commands using the replacement server that disabled Coreflood on infected PCs. Later, the FBI used the same server to uninstall the malware from 19,000 machines whose owners had given the agency their consent.

On Tuesday, the government closed the civil lawsuit when a federal judge permanently barred 10 "John Does" from operating Coreflood. Authorities did not reveal the names of the defendants.

The substitute server that had been issuing commands to the botnet has also been pulled from the case, said the FBI.

"The continued operation of the substitute server is no longer necessary, under the circumstances, to prevent the Defendants from using the Coreflood botnet in furtherance of their scheme to commit wire fraud and bank fraud and to engage in unauthorized interception of electronic communications," said FBI Special Agent Kenneth Keller in an affidavit filed June 14 with the court.

Keller said the operation had crippled the botnet.

"The size of the Coreflood botnet has been reduced by more than 95% through a combination of victim notification, coordination with Internet service providers and antivirus vendors, and the operation of the substitute server," Keller said.

The FBI had been measuring Coreflood's activity and size through "beacons," the command requests hijacked PCs sent to the government-run C&C server. On April 13, the day after the DOJ and FBI seized the Coreflood servers, the government replacement received 800,000 beacons. By June 8, the number of beacons was barely discernable on an FBI-provided chart.

Keller credited antivirus companies, which were able to distribute detection and deletion signatures when Coreflood was unable to update itself, for helping subdue the botnet.

Although he didn't call out Microsoft in his affidavit, the company also played a part in the anti-Coreflood effort.

The FBI said it had reduced the Coreflood botnet by 95% since the mid-April launch of "Operation Adeona." (Graphic: FBI.)

In April, Microsoft used its Malicious Software Removal Tool (MSRT) to bolster the Coreflood cleaning process, and took the unusual step of re-releasing an updated edition of the tool to finger variants that had appeared shortly after the government seized the botnet's C&C servers.

During May, authorities used the substitute C&C server to remotely uninstall the Coreflood malware from some infected Windows PCs. According to Keller, the FBI used the server to issue 19,000 uninstall commands to computers owned by 24 victims.

"None of [the victims] have reported any adverse or unintended consequences from the uninstall commands," Keller reported.

The FBI had previously identified state or local government agencies, airports, defense contractors, banks, universities and hospitals among the victims.

It's likely that the uninstall commands were aimed at organizations with large numbers of infected computers; on average count, each victim received 791 uninstall commands.

The FBI acknowledged that it had not been able to eradicate Coreflood. It had not been able to identify all the victims, and was not allowed to issue uninstall commands to infected computers outside the U.S.

"Under the circumstances, it does not appear that further reductions in the size of the Coreflood Botnet can be accomplished without resort to other remediation techniques, such as a 'blanket' uninstall of Coreflood," Keller said. Presumably, he meant issuing uninstall commands to all infected computers without obtaining permission from their owners.

The FBI did not ask for the authority to do that, Keller added, "given that the size of the Coreflood botnet has already been significantly reduced."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Copyright © 2011 IDG Communications, Inc.

The 10 most powerful cybersecurity companies