Feds Take Down “Botnet”

US DOJFederal agents working out of their downtown New Haven office have cracked a malicious software ring that has infected over 2 million computers worldwide, using “command and control” servers to create a “Coreflood botnet.”

It was part of massive fraud ring that stole personal and financial data and bank funds, according to the U.S. Department of Justice.

A Wednesday press release from the Department of Justice and the FBI announced a civil complaint against 13 “John Does” involved in the case, along with the execution of criminal seizure warrants, and the issuance of a temporary restraining order. The release called it the “most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.” 

A botnet is a collection of computers that have been taken over by a hacker and are controlled remotely. In this case, according to feds, the perpetrators created a botnet of hundreds of thousands of computers infected with a software called Coreflood. It’s a program that exploits a weakness in the Microsoft Windows operating system to control computers remotely. The program can log user keystrokes to steal passwords and personal data.

Wednesday’s release “strongly encouraged” people to make sure they are using security software that’s regularly updated, and that they are regularly scanning their computers for viruses. The release listed two websites (here and here) with more information on how to protect your computer.

The Connecticut U.S. Attorney’s office has brought the complaint against the 13 unnamed defendants. They are accused of wire fraud, bank fraud, and illegal interception of electronic communications.

“In addition, search warrants were obtained for computer servers throughout the country, and a seizure warrant was obtained in U.S. District Court for the District of Connecticut for 29 domain names,” the release states. “Finally, the government obtained a temporary restraining order (TRO), authorizing the government to respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.”

When Coreflood infects computers, it turns them into “bots,” without the user’s knowledge. The computer can then be controlled remotely by a “command and control server.” An infected computer is programmed to request commands from command and control servers, and the Coreflood software can thereby be updated to outpace anti-virus programs.

Coreflood can be used to steal usernames, passwords, and other personal and financial information. The 13 unnamed defendants allegedly used this information to steal funds from bank accounts. “They have stolen money from bank accounts in Michigan, North Carolina, South Carolina, Tennessee, and probably many others,” states a memo of law accompanying the press release.

The group of computers controlled by Coreflood is known as the “Coreflood botnet.” Investigators believe the Coreflood botnet has been operating for almost 10 years and has infected over two million computers worldwide. Feds estimate that the defendants have infected over a million computers in the U.S., including thousands in Connecticut.

On Wednesday federal agents seized five command and control servers that were remotely controlling hundreds of thousands of Coreflood-infected servers. The servers were replaced with government computers that will send commands that will temporarily stop Coreflood from running on infected computers. The press release states that this does not guarantee that Coreflood has been removed from the internet entirely. The best defense against malicious botnets is regularly updated anti-virus software, according to the release.

Tags: ,

Post a Comment

Commenting has closed for this entry


posted by: J Gehrer on April 14, 2011  9:11am

Yet another reason to dump windoze and upgrade to a Mac…

posted by: Edison on April 14, 2011  1:19pm

@J Gehrer At every hacking conference Macs are always the first to get compromised. You Mac users don’t get as much malware simply because you’re such a small user base that it’s not worth the time and expense for malware authors to write malware for your machines. “Security throught Obscurity” is the motto of Mac fanbios. It happens to work, at least for now.

I remove malware as part of my job and lately I’ve seen a rootkit named TSS rear its ugly head. It allows a remote user to completely control a computer. After going through the log files, I’ve seen where the bad guys used a machine for DDOS attack, logged keystrokes and finally securely delete the user files then trashed the os.

posted by: J. Gehrer on April 14, 2011  3:19pm

I understand your point, Edison, but I have never heard of anyone I know getting any malware, viruses, and trojans on their Macs.
I use a router, update my software, am careful what I download, and don’t go to hacker conferences.
Maybe someday Mac users will have to use additional security s/w, but in the meantime, while my pc -using associates waste endless hours trading emails on the latest virus threat and re-installing their operating systems, I’ll continue to get actual work done.

posted by: Edison on April 14, 2011  3:47pm

Hey J Gehrer, Have your PC firends get Kaspersky Internet Security installed on their machines and they should not have any more problems with malware. It is the best and more comprehensive anti-malware suite available.
It’s also available for the Mac platform & you might want to consider getting it, or another anti-malware program as Macs are getting infected. Not as much as PCs but the danger is there and is growing.
A router tip for everyone: make sure access to your router is password protected.
Do not use the default password.
I have seen seveal instances of routers having the DNS changed so that all traffic passes through a phantom DNS thus redirecting the user to pages that look just like PayPal, EBay, their bank, etc.
The user logs on to one of these fake sites and their login info ends up being sold to the highest bidder.
Note this happens outside of the computer & there’s no malware software that can protect you.
Also, be sure to encrypt your wireless connection. The routers in the above scenario were hacked by someone that sat in their car and used their laptop to access an un-protected wireless network.

posted by: Elli Davis on April 18, 2011  2:14pm

Very nice haul by government. 500 gigabytes of stolen data, that’s not something you get back everyday.

As Mr. Fried said “We finally saw exactly how effective law enforcement and our judicial system can be when they attack problems using strategic rather than political methods” in other words - YOU DID SOMETHING AT LAST!