The US Department of Justice (DOJ) and the FBI seized five command and control servers and 29 domain names to shut down the Coreflood botnet last week.
In a statement released last week, the DOJ said that the US attorney's office for the District of Connecticut filed a civil complaint against 13 ‘John Doe' defendants, alleging that the defendants engaged in wire and bank fraud and illegal interception of electronic communications.
In addition, search warrants were obtained for computer servers throughout the country and a seizure warrant was obtained in the US district court for the District of Connecticut for 29 domain names.
Finally, the government obtained a temporary restraining order authorising it to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.
It said that Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks and using that information to steal funds.
The Coreflood malware is programmed to request directions and commands from command and control servers routinely and if the servers do not respond, the existing malware continues to run on the victim's computer, collecting personal and financial information.
Lanny A. Breuer, assistant attorney general of the criminal division at the DOJ, said: “The actions are part of a comprehensive effort by the department to disable an international botnet, while at the same time giving consumers the ability to take necessary steps to protect themselves from this harmful malware.
“Law enforcement will continue to use innovative and responsible actions in our fight against cyber criminals and at the same time, we urge consumers to ensure they are continually taking prudent measures to guard against harm, including routinely updating anti-virus security protection.”
Noa Bar-Yosef, senior security strategist at Imperva, said that the ruling allowed the DOJ to set up an alternative command and control server to create ‘an alternate good guy server'.
Bar-Yosef said: “It can stop malware executing to bring down the mastermind of a command and control server, so now affected users can go to their internet service provider (ISP) for protection. It can alert customers to whether they have malware, how to remove it and what to do in the future.”
Aryeh Goretsky, distinguished researcher at ESET, called the seizure of the domains ‘another step in the growing awareness that crime, whether it is committed with bullets or with botnets, is still crime'.
“While not a particularly ‘sexy' or immediately visible crime compared to botnets which engage in spam and denial-of-service, the Coreflood botnet has certainly been effective: in the complaint filed with the United States District Court in Connecticut, US Attorney David B. Fein, states that losses from the botnet totalled over half-a-million dollars from just four victims. Given that Coreflood has infected over two million computers, the actual amount of dollars stolen is likely to be orders of magnitude higher,” he said.
“Where things get more interesting is in the method chosen to defang the botnet. The US Attorney is asking for authorisation to operate a substitute C&C server to take over control of the botnet, preventing its ‘rightful' (not to mention, criminal) owners from stealing any further information from compromised computers or from sending further instructions or updates to the bot in order to regain control of it.
“There's some sense in doing this, as preventing updates to the botnet ensures that the government's industry partners have effective tools to detect and remove the bot from infected computers without having to worry about countermeasures from the botnet's criminal operators, while preventing new communications allows internet providers to monitor their networks for traffic known to be from the bot.”