U.S. Authorities Pull the Plug on Major Botnet, 2 Million Zombie PCs Rejoice (Sort Of)

If the US government’s recent actions are any indication, things are fiercely heating up in the ongoing war against spam. Mere weeks ago, Microsoft, with the aid of the US Marshall Service and a Federal warrant, took down the Rustock botnet, and in the past few weeks we’ve seen a decline in the number of spam emails by a third (supposedly – read to the end to get my take on things). Less than a month after Rustock went dark, US Federal prosecutors and the US Department of Justice have struck another blow for (what else?) justice.

On April 13th, the US Department of Justice and Federal Bureau of Investigation announced that they have disabled an international botnet infecting more than 2 million computers responsible for the theft of corporate data, user account details and financial information. The DoJ issued a press release detailing their takedown of Coreflood, malicious code that exploits security vulnerability in Windows operating systems. From the FBI website: “Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.”

Coreflood, according to court filings, is a nasty piece of malicious code that records keystrokes and monitors private communications. Once a computer has been infected, it becomes part of the botnet, which is remotely controlled by Coreflood’s C & C servers. The Coreflood botnet is believed to have been operating for nearly a decade, infecting more than two million computers around the world. The malware then steals user names, passwords and other private information, “allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts,” the DoJ press release reports. Court filings released by the DoJ describe one example where Coreflood was able to take over an online banking session and fraudulently transfer funds into a foreign account by monitoring Internet communications between a user and the user’s bank.

In order to effect the takedown, the US Attorney’s office for the District of Connecticut filed a civil complaint against 13 ‘John Doe’ (i.e., unnamed) defendants and executed criminal seizure warrants along with a temporary restraining order, all of which comprise, “part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet,” according to the government’s website. The complaint filed by the DoJ alleged that the defendants engaged in wire fraud, bank fraud and the illegal interception of electronic communications.

In addition to the civil complaint filed with the U.S. District Court for the District of Connecticut, the FBI seized five command and control servers scattered across the country and 29 domain names used by Coreflood. According to the DoJ, the TRO, authorized the government, “to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.” The FBI also established 5 sinkhole servers to control the flow previously handled by Coreflood. All this action hasn’t removed the malicious code from the zombie computers, a daunting task that the FBI admits will take time and cooperation from those infected. Along with participating Internet Service Providers, the DoJ and FBI will be notifying infected users in order to help clean the infection.

Oddly enough, the government press release also states that, “identified owners of infected computers will also be told how to “opt out” from the TRO, if for some strange reason infected owners want to keep Coreflood running on their computers.” For the paranoid who don’t particularly relish the idea of having the federal government poking around inside their computers, the DoJ provided an assurance that, “at no time will law enforcement authorities access any information that may be stored on an infected computer.”

The bad news is that, as of the writing of this article, the FBI’s offer to help infected users only applies to PCs in the US, so international users are out of luck. The DoJ press release does point to a US Computer Emergency Response Team (US-CERT) information site which provides detail on Coreflood and the Microsoft updates required to immunize against the malware.

“The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,” stated US Attorney David B. Fein of the District of Connecticut, where the complaint was filed.  “I want to commend our industry partners for their collaboration with law enforcement to achieve this great result.”

So, chalk up another victory for the good guys, right? Maybe, but even with the recent takedown of Rustock and now the malicious botnet known as Coreflood, it seems like there is much more work to be done. I don’t know if it’s coincidence or not, but since my recent article on how spam has been reported to be significantly reduced since Microsoft took out Rustock, the spam arriving in my inbox seems to have increased. Significantly. I’d certainly be interested in hearing anyone else’s recent experience. Are these good news stories and affirmative action reason to be optimistic, or are law enforcement agencies only sticking their fingers in one hole in the dike, only to see two more holes spring up elsewhere?

Written by Malcolm James


  1. Steve Drexler · April 20, 2011

    It varies for me. I have two separate email accounts, one of which has seen a decrease in spam, and the other has spiked sharply upwards in terms of frequency and complexity. I think it just depends which groups are doing the spamming, and what ties you may have acquired with them, but I am definitely feeling an effect.

  2. Jamie Campbell · April 23, 2011

    That’s interesting. I’m seeing an increase in one account in particular, the one I use when I don’t want to give out an email address but have to in order to sign up. I suppose that shouldn’t be a surprise, but the spike in spam has been dramatic over the past couple of weeks, and that does seem unusual.

Leave A Reply