The U.S. Department of Justice and FBI have disabled Coreflood, a decade-old botnet that’s infected more than 2 million private computers, by seizing and replacing five command and control servers and 29 domain names used by the botnet, the Department of Justice said in an April 13 press release.
Coreflood has compromised numerous victims’ bank accounts by stealing their user names, passwords and other personal financial information, the government said. The malware is designed to record keystrokes and control a victim’s computer remotely via one of its command and control servers.
Targeted accounts include payment cards serviced by credit unions, Dell SecureWorks Director of Threat Intelligence Don Jackson said. He added that Coreflood operators also reached some CUs by infecting the machines of companies and organizations they were chartered to serve.
The U.S. Attorney’s Office for the District of Connecticut filed a civil complaint dated April 11 against 13 "John Doe" defendants alleging that they had committed "wire fraud, bank fraud and illegal interception of electronic communications" and obtained a temporary restraining order to seize Coreflood, the statement read.
The temporary restraining order, which the FBI New Haven Field Office posted on its website, allows U.S. authorities to send each infected computer a command that will shut off the malware’s operations. It also gave officials permission to set up a replacement server at Internet hosting provider Internet Systems Consortium from which they could execute the stop commands.
The first-of-its-kind government move follows a major bust of account-raiding cyber thieves last fall in New York, who were arrested for using Zeus Trojan malware to steal at least $3 million from bank accounts.
"The actions announced today are part of a comprehensive effort by the department to disable an international botnet, while at the same time giving consumers the ability to take necessary steps to protect themselves from this harmful malware," Assistant Attorney General Lanny A. Breuer of the Criminal Division said in the statement.
The government promised that the Coreflood intervention would not compromise infected computer users’ private information, stating, "At no time will law enforcement authorities access any information that may be stored on an affected computer."
Officials also said it would give users the option to opt out of the temporary restraining order should they wish for some reason to continue running Coreflood on their computers.
Jackson said many experts agree the government takedown was successful and well thought-out, and that it set an example for a promising new response model.
"All options regarding the interaction with infected computers were carefully analyzed for possible unintended consequences, and sound decisions were made to protect the owners and users at all cost," Jackson said. "Evidence suggests that the same inscrutable attention to detail was given to legal and political issues as well, not just the technical ones."
He explained that Coreflood operators affected credit unions by stealing data from companies and organizations with a large number of employees belonging to the same credit union.
"Let’s say a credit union is chartered to serve telephone company employees and the office network inside the telephone company headquarters–staffed by 5,000 credit union members–is infected by Coreflood," Jackson gave as an example. "That credit union is likely to be disproportionately affected by related fraud."