[Home] [Headlines] [Latest Articles] [Latest Comments] [Post] [Mail] [Sign-in] [Setup] [Help] [Register]
|
Status: Not Logged In; Sign In
United States News Title: With Court Order, FBI Hijacks ‘Coreflood’ Botnet, Sends Kill Signal In an extraordinary intervention, the Justice Department has sought and won permission from a federal judge to seize control of a massive criminal botnet comprising millions of private computers, and deliver a command to those computers to disable the malicious software. The request, filed Tuesday under seal in the U.S. District Court in Connecticut, sought a temporary restraining order to allow the nonprofit Internet Systems Consortium, or ISC, to swap out command-and-control servers that were communicating with machines infected with Coreflood — malicious software used by computer criminals to loot victims’ bank accounts. According to the filing, ISC, under law enforcement supervision, planned to replace the servers with servers that it controlled, then collect the IP addresses of all infected machines communicating with the criminal servers, and send a remote “stop” command to infected machines to disable the Coreflood malware operating on them. A Justice Department spokeswoman confirmed that the takeover occurred Tuesday evening, and the shutdown command was sent to infected computers based in the United States. “Under the authority granted by the court in the TRO, we have responded to requests from infected computers in the United States with a command that temporarily stops the malware from running on the infected computers,” spokeswoman Laura Sweeney wrote in an e-mail. A separate court filing Tuesday afternoon (.pdf) indicated that the FBI’s New Haven office is behind the operation. In that filing, authorities informed the court that a new variant of Coreflood had been released by criminals Tuesday morning, but that the FBI had tested the kill command against that variant and it had worked successfully. According to the filing, Coreflood is designed to run whenever an infected computer is rebooted. Therefore the intervention software designed to disable Coreflood has to resend the disable command after every reboot, until the victim removes the malware from his system. The government assured the court, however, that this would cause no harm to computers. “Based upon technical evaluation and testing, the Government assesses that the command sent to the Coreflood software to stop running will not cause any damage to the victim computers on which the Coreflood software is present, nor will it allow the Government to examine or copy the contents of the victim computers in any fashion,” the government wrote in its request. The government also insisted in the request that neither the replacement servers nor the trap-and-trace device it would use to collect the IP addresses of infected machines would “acquire the content of any communications” on infected machines. “Should the Government inadvertently acquire the content of any communication, it will destroy such communication upon recognition,” the government asserted. In her decision granting the restraining order, U.S. District Judge Vanessa Byrant wrote: “Allowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and an increased risk of further computer intrusions.” In conjunction with the move, the government planned to provide the IP addresses of infected computers to ISPs around the country to notify customers that they’re infected, and Microsoft was planning to release an update to its free Malicious Software Removal Tool on Tuesday to remove Coreflood from infected computers. According to the government, this is the first case in the United States in which authorities have swapped out criminal servers for government servers in order to intercept communications between infected systems and the servers controlling them. The court filing notes that Dutch law enforcement used the same approach last year to disable the Bredolab botnet. In that case, Dutch authorities remotely installed and executed a program on infected machines to notify users that their systems were infected. “These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the internet more secure,” said Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, in a press release. Not everyone, however, is convinced the government’s proactive move is positive and without risk. “Even if we could absolutely be sure that all of the infected Coreflood botnet machines were running the exact code that we reverse-engineered and convinced ourselves that we understood,” said Chris Palmer, technology director for the Electronic Frontier Foundation, “this would still be an extremely sketchy action to take. It’s other people’s computers and you don’t know what’s going to happen for sure. You might blow up some important machine.” Coreflood has been around for nearly a decade infecting machines and is designed to log keystrokes to harvest usernames and passwords as well as financial information in order to steal funds. According to the government, between March 2009 and January 2010, one Coreflood command-and-control server held about 190 gigabytes of data stolen from more than 400,000 victim computers. The server controlled more than 2 million machines. The botnet allowed criminals to loot $115,000 from the account of a real estate company in Michigan, according to the filing, as well as $78,000 from a South Carolina law firm.
Post Comment Private Reply Ignore Thread Top • Page Up • Full Thread • Page Down • Bottom/Latest Begin Trace Mode for Comment # 2.
#2. To: A K A Stone (#0)
(Edited)
Though this action has interrupted the botnet for the time being, Rustock isn't quite dead and buried yet. The million or so infected machines remain in that state, with their owners most likely oblivious. Should the command and control servers be recommissioned, the now-dormant network will be able to spring back into life. The success of Microsoft's action depends on keeping the domain names and IP addresses down until the victim machines can be cleaned up. With Waledac the company obtained a permanent injunction, giving it permanent ownership of the domain names that botnet used to find command and control servers. A similar result with Rustock will result in long-term disruption of the network. Disinfection is the bigger problem, however. By its very nature, botnet malware strives to be hard to detect. Users who don't know that they've been infected won't attempt to disinfect their machines, with only natural attrition and replacement likely to see them disconnected from the Internet—by way of comparison, the number of Waledac machines has dropped from around 80,000 to around 20,000 in the year since that network was taken down. This inability to resolve the infections makes it all the more important that the command and control systems remain inoperable. The victories against the botnets are certainly welcome. Spam wastes the time, disk space, bandwidth, and money of everyone affected, and killing the botnets responsible for such a large proportion of spam undoubtedly benefits the Internet. But it remains an up-hill struggled for the good guys, with plenty of other botnets out there to fill our inboxes with what is at best drivel, and at worst outright dangerous. Edit: Forgot the link, I can find it if necessary.
#4. To: Tater, Murron (#2)
The idea of the Government basically sending commands to all these machines sounds like a slippery slope.
Top • Page Up • Full Thread • Page Down • Bottom/Latest |
|
[Home] [Headlines] [Latest Articles] [Latest Comments] [Post] [Mail] [Sign-in] [Setup] [Help] [Register]
|