U.S. shutters botnet, can disable malware remotely

Lawsuit, seizures, and other court actions are part of the "most complete and comprehensive enforcement action ever" against a botnet in the U.S.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
3 min read

By seizing servers and domain names and getting permission to remotely turn off malware on compromised PCs, U.S. officials have disabled a botnet that steals data from infected computers.

The legal actions are part of the "most complete and comprehensive enforcement action ever taken by U.S. authorities to disable an international botnet," according to a statement from the Department of Justice. A botnet is a group of computers that have been compromised and are being remotely controlled by attackers, typically to send spam or attack other computers.

It's the first time law enforcement in the U.S. has requested permission from a court to take control of a botnet, according to a request for a temporary restraining order that was granted. Similar action was taken by Dutch officials who downloaded "good" software to computers infected with Bredolab botnet malware, the filing said.

In this case the malware, called "Coreflood," records keystrokes and private communications, enabling it to steal usernames, passwords, and other private personal and financial information. Once a computer is infected with Coreflood, the malware communicates with a command-and-control server, allowing it to remotely control the compromised computer. The botnet is believed to have infected more than 2 million Windows-based computers worldwide in nearly 10 years.

Prosecutors allege that data stolen by the malware has been used to steal funds from victims' accounts. In at least one case, the malware enabled attackers to take over an online banking session a victim was in the middle of and transfer money to a foreign account, according to court filings.

The U.S. Attorney's office in the district of Connecticut has filed a civil complaint against 13 "John Doe," or unknown, defendants accusing them of wire fraud, bank fraud, and illegal interception of electronic communications. To shut down the botnet and stop it from spreading further, the Justice Department seized five command-and-control servers and 29 domain names used by the bots to communicate with the servers.

To put a halt to the botnet's damage to already infected computers, officials have obtained a temporary restraining order authorizing them to substitute the seized servers with their own and use them to respond to signals sent from hundreds of thousands of compromised computers in the U.S. This will allow authorities to send commands to the infected computers that stop the malware from running, preventing attackers from updating the malware and giving victimized computers time to update their virus signatures.

Officials also are working with Internet Service Providers to identify owners of the compromised computers based on their IP addresses and warn them about the potential for fraud because of the malware on the machines. Computer owners will be told how to "opt out" if they do not want officials to stop the malware from running on their machines. "At no time will law enforcement authorities access any information that may be stored on an infected computer," the statement said.

"Allowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and an increased risk of further computer intrusions," Judge Vanessa Bryant wrote in her decision granting the temporary restraining order.

The substitute command-and-control server will be operated by the nonprofit Internet Systems Consortium under law enforcement supervision, according to court documents. Microsoft, meanwhile, was expected to update its Malicious Software Removal Tool yesterday to remove Coreflood from infected computers, the filing dated yesterday says.

While the actions have disabled Coreflood in its current form, other variants of the malware could still be lurking on the Internet, officials said.

From March 2009 through January 2010, one Coreflood server had about 190 gigabytes of data from 413,710 infected computers, the court filing shows. Of known victims, a real estate company in Michigan was defrauded out of $115,771; a law firm in South Carolina lost $78,421, an investment company in North Carolina lost $151,201; and a defense contractor in Tennessee lost $241,866, but nearly lost $934,528 in attempted wire transfers, the document says.

The Justice Department is working with the FBI, the U.S. Marshals Service, and the U.S. Attorney's office in Connecticut with help from Microsoft and the Internet Systems Consortium.

Updated April 14 at 10:18 a.m. PT to correct amount defense contractor lost; April 13 at 6:25 p.m. PT with quote from judge; and 5 p.m. PT with more details from court filing.