By Kim Zetter
Wired.com
In an extraordinary intervention, the Justice Department has sought and won permission from a federal judge to seize control of a massive criminal botnet comprised of millions of private computers, and deliver a command to those computers to disable the malicious software.
The request, filed Tuesday under seal in the U.S. District Court in Connecticut, sought a temporary restraining order to allow the non-profit Internet Systems Consortium to swap out command-and-control servers that were communicating with machines infected with Coreflood — malicious software used by computer criminals to loot victims’ bank accounts.
According to the filing, ISC, under law enforcement supervision, planned to replace the servers with servers that it controlled, then collect the IP addresses of all infected machines communicating with the criminal servers, and send a remote “stop” command to infected machines to disable the Coreflood malware operating on them.
A Justice Department spokeswoman confirmed that the takeover occurred Tuesday evening, and the shutdown command was sent to infected computers based in the U.S.
“Under the authority granted by the court in the TRO, we have responded to requests from infected computers in the United States with a command that temporarily stops the malware from running on the infected computers,” wrote spokeswoman Laura Sweeney in an e-mail.
A separate court filing Tuesday afternoon (.pdf) indicated that the FBI’s New Haven office is behind the operation. In that filing, authorities informed the court that a new variant of Coreflood had been released by criminals Tuesday morning, but that the FBI had tested the kill command against that variant and it had worked successfully.
According to the filing, Coreflood is designed to run whenever an infected computer is rebooted. Therefore the intervention software designed to disable Coreflood has to resend the disable command after every reboot, until the victim removes the malware from his system. The government assured the court, however, that this would cause no harm to computers.
“Based upon technical evaluation and testing, the Government assesses that the command sent to the Coreflood software to stop running will not cause any damage to the victim computers on which the Coreflood software is present, nor will it allow the Government to examine or copy the contents of the victim computers in any fashion,” the government wrote in its request.
The government also insisted in the request that neither the replacement servers nor the trap-and-trace device it would use to collect the IP addresses of infected machines would “acquire the content of any communications” on infected machines.
“Should the Government inadvertently acquire the content of any communication, it will destroy such communication upon recognition,” the government asserted.
In her decision granting the restraining order U.S. District Judge Vanessa Byrant wrote that, “Allowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and an increased risk of further computer intrusions.”
In conjunction with the move, the government planned to provide the IP addresses of infected computers to ISPs around the country to notify customers that they’re infected, and Microsoft planned to release an update to its free Malicious Software Removal Tool on Tuesday to remove Coreflood from infected computers.
According to the government, this is the first case in the U.S. in which authorities have swapped out criminal servers for government servers in order to intercept communications between infected systems and the servers controlling them. The court filing notes that Dutch law enforcement used the same approach last year in order to disable the Bredolab botnet. In that case, Dutch authorities remotely installed and executed a program on infected machines to notify users that their systems were infected.
“These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the internet more secure,” said Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, in a press release.
Not everyone, however, is convinced the government’s proactive move is positive and without risk.
“Even if we could absolutely be sure that all of the infected Coreflood botnet machines were running the exact code that we reverse-engineered and convinced ourselves that we understood,” said Chris Palmer, technology director for the Electronic Frontier Foundation, “this would still be an extremely sketchy action to take. It’s other people’s computers and you don’t know what’s going to happen for sure. You might blow up some important machine.”
Coreflood has been around for nearly a decade infecting machines and is designed to log keystrokes to harvest usernames and passwords as well as financial information in order steal funds.
According to the government, between March 2009 and January 2010, one Coreflood command and control server held about 190 gigabytes of data stolen from more than 400,000 victim computers. The server controlled more than 2 million machines.
The botnet allowed criminals to loot $115,000 from the account of a real estate company in Michigan, according to the filing, as well as $78,000 from a South Carolina law firm.
UPDATED 4:30pm: With information about the late-afternoon filing from the government, and with comment from EFF.
