Feds claim victory over Coreflood botnet

FBI shuts down anti-botnet project, says it reduced Coreflood by 95%

Federal authorities have declared victory over the Coreflood botnet and shut down the replacement server that the FBI used to issue commands to infected PCs.

The move was the final step in the two-month "Operation Adeona," an attempt to cripple the botnet that originally controlled an estimated 2.3 million compromised computers.

In mid-April, the U.S. Department of Justice (DOJ) and FBI obtained an unprecedented restraining order that allowed them to seize command-and-control (C&C) servers that managed the Coreflood botnet and replace them with a government-controlled system.

The court order also allowed the DOJ and FBI to issue commands using the replacement server that disabled Coreflood on infected PCs. Later, the FBI used the same server to uninstall the malware from 19,000 machines whose owners had given the agency their consent.

On Tuesday, the government closed the civil lawsuit when a federal judge permanently barred 10 "John Does" from operating Coreflood. Authorities did not reveal the names of the defendants.

The substitute server that had been issuing commands to the botnet has also been pulled from the case, said the FBI.

"The continued operation of the substitute server is no longer necessary, under the circumstances, to prevent the Defendants from using the Coreflood botnet in furtherance of their scheme to commit wire fraud and bank fraud and to engage in unauthorized interception of electronic communications," said FBI Special Agent Kenneth Keller in an affidavit filed June 14 with the court.

Keller said the operation had crippled the botnet.

"The size of the Coreflood botnet has been reduced by more than 95% through a combination of victim notification, coordination with Internet service providers and antivirus vendors, and the operation of the substitute server," Keller said.

The FBI had been measuring Coreflood's activity and size through "beacons," the command requests hijacked PCs sent to the government-run C&C server. On April 13, the day after the DOJ and FBI seized the Coreflood servers, the government replacement received 800,000 beacons. By June 8, the number of beacons was barely discernable on an FBI-provided chart.

Keller credited antivirus companies, which were able to distribute detection and deletion signatures when Coreflood was unable to update itself, for helping subdue the botnet.

Although he didn't call out Microsoft in his affidavit, the company also played a part in the anti-Coreflood effort.

The FBI said it had reduced the Coreflood botnet by 95% since the mid-April launch of "Operation Adeona." (Graphic: FBI.)

In April, Microsoft used its Malicious Software Removal Tool (MSRT) to bolster the Coreflood cleaning process, and took the unusual step of re-releasing an updated edition of the tool to finger variants that had appeared shortly after the government seized the botnet's C&C servers.

During May, authorities used the substitute C&C server to remotely uninstall the Coreflood malware from some infected Windows PCs. According to Keller, the FBI used the server to issue 19,000 uninstall commands to computers owned by 24 victims.

"None of [the victims] have reported any adverse or unintended consequences from the uninstall commands," Keller reported.

The FBI had previously identified state or local government agencies, airports, defense contractors, banks, universities and hospitals among the victims.

It's likely that the uninstall commands were aimed at organizations with large numbers of infected computers; on average count, each victim received 791 uninstall commands.

The FBI acknowledged that it had not been able to eradicate Coreflood. It had not been able to identify all the victims, and was not allowed to issue uninstall commands to infected computers outside the U.S.

"Under the circumstances, it does not appear that further reductions in the size of the Coreflood Botnet can be accomplished without resort to other remediation techniques, such as a 'blanket' uninstall of Coreflood," Keller said. Presumably, he meant issuing uninstall commands to all infected computers without obtaining permission from their owners.

The FBI did not ask for the authority to do that, Keller added, "given that the size of the Coreflood botnet has already been significantly reduced."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com .

Read more about security in Computerworld's Security Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. Department of Justicesecurity

More about AppleDepartment of JusticeDOJFBIMicrosoftTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Gregg Keizer

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place