Federal agents working out of their downtown New Haven office have cracked a malicious software ring that has infected over 2 million computers worldwide, using “command and control” servers to create a “Coreflood botnet.”
It was part of massive fraud ring that stole personal and financial data and bank funds, according to the U.S. Department of Justice.
A Wednesday press release from the Department of Justice and the FBI announced a civil complaint against 13 “John Does” involved in the case, along with the execution of criminal seizure warrants, and the issuance of a temporary restraining order. The release called it the “most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.”
A botnet is a collection of computers that have been taken over by a hacker and are controlled remotely. In this case, according to feds, the perpetrators created a botnet of hundreds of thousands of computers infected with a software called Coreflood. It’s a program that exploits a weakness in the Microsoft Windows operating system to control computers remotely. The program can log user keystrokes to steal passwords and personal data.
Wednesday’s release “strongly encouraged” people to make sure they are using security software that’s regularly updated, and that they are regularly scanning their computers for viruses. The release listed two websites (here and here) with more information on how to protect your computer.
The Connecticut U.S. Attorney’s office has brought the complaint against the 13 unnamed defendants. They are accused of wire fraud, bank fraud, and illegal interception of electronic communications.
“In addition, search warrants were obtained for computer servers throughout the country, and a seizure warrant was obtained in U.S. District Court for the District of Connecticut for 29 domain names,” the release states. “Finally, the government obtained a temporary restraining order (TRO), authorizing the government to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.”
When Coreflood infects computers, it turns them into “bots,” without the user’s knowledge. The computer can then be controlled remotely by a “command and control server.” An infected computer is programmed to request commands from command and control servers, and the Coreflood software can thereby be updated to outpace anti-virus programs.
Coreflood can be used to steal usernames, passwords, and other personal and financial information. The 13 unnamed defendants allegedly used this information to steal funds from bank accounts. “They have stolen money from bank accounts in Michigan, North Carolina, South Carolina, Tennessee, and probably many others,” states a memo of law accompanying the press release.
The group of computers controlled by Coreflood is known as the “Coreflood botnet.” Investigators believe the Coreflood botnet has been operating for almost 10 years and has infected over two million computers worldwide. Feds estimate that the defendants have infected over a million computers in the U.S., including thousands in Connecticut.
On Wednesday federal agents seized five command and control servers that were remotely controlling hundreds of thousands of Coreflood-infected servers. The servers were replaced with government computers that will send commands that will temporarily stop Coreflood from running on infected computers. The press release states that this does not guarantee that Coreflood has been removed from the internet entirely. The best defense against malicious botnets is regularly updated anti-virus software, according to the release.