Shutting down a botnet, US Government disables Coreflood

A number of factors have attributed to the rise of the botnet. Firstly the small time bad guys realised that there was money to be made from stealing passwords, key logging credit card details and identity theft.

Soon after the big time bad guys realised the small guys were getting rich without having to leave their bedrooms, and in weighing up the risks robbing banks or dealing drugs against computer crime, they came to the conclusion that they were unlikely to be killed in a firearms skirmish when distributing malware. And it was easier.

Users typically get infected by malware from attack vectors such as malicious websites and email attachments. Hardware storage mediums (USB keys and CDs) can be used to distribute malware but this is an expensive option often reserved for specific attacks on organisations or high worth individuals.

Once installed, criminals use the malware to perform a number of functions. Bots have been known to participate in Denial-of-Service attacks, send email SPAM, act as a key logger or Spyware, perform DNS proxy server functions for fast-flux activities and even silently click on links to increase the criminal’s ad revenue or impact SEO scores.

Bots which collect data often transfer collected data in batches to a central location using encrypted file formats and encrypted tunnels, and can go undetected for years watching for user data like Internet banking log in details and other financial information.

When a number of infected computers link they form a bot network, thus a botnet. Botnets have command and control servers (managed by hackers who are known as ‘Botnet Herders’), providing each botnet member machine with instructions and even perform malware software updates. Usually removing just one command and control server makes very little impact, as most modern botnet networks can self heal by promoting a reliable malware infected machine to the botnet command and control function.

Large botnets often get named, occasionally by the creators but often by the security professionals who identify and analyse the botnets in order to ‘bring them down’.

The Coreflood botnet is believed to have operated in various forms since 2003 and each command and control server could have managed a pool of millions of computers located around the globe. Analysts have suggested that Coreflood collected user names, passwords and financial information which was then used by criminals to commit identity and financial fraud.

On 12 April 2011, US Federal authorities seized command and control servers located in the US advertising the IP addresses 207.210.74.74 and 74.63.232.233, and took control of 29 domain names used by the botnet. Each IP address was registered to a US business; a cloud hosting provider based in Atlanta and a large ISP offering cable and entertainment portal services respectively.

A number of individuals have been detained on charges of wire fraud, bank fraud and illegal interception of electronic communications.

But what is special about this botnet takedown is that in a landmark ruling the US Department of Justice (DoJ) working closely with the FBI also obtained permission to seize control of the Coreflood botnet, replacing botnet command and control servers with DoJ managed infrastructure, in order to hijack the botnet and use it against itself.

Once control was gained, the FBI used the botnet to send a ‘stop’ command to infected machines which were identified as being located in the United States by their IP address.

The request, filed Tuesday April 12 under seal in the U.S. District Court in Connecticut, sought a restraining order to allow the nonprofit Internet Systems Consortium (ISC), to swap out command-and-control servers that were communicating with machines infected with Coreflood. The filing can be found in full at http://www.scribd.com/doc/52965914/Coreflood-Memo.

John Stewart, Cisco’s Chief Security Officer, was tentatively positive. “Traditionally, dynamic teams composed of private citizens and law enforcement devise ways to contain the effects of a botnet by releasing anti-virus signatures". Stewart went on to describe techniques which would  disrupt the command and control channel. These include IP blocklists, website blacklists, DNS black-holing and infected end point containment techniques.

Using the botnet to disable malware residing on infected machines may cross a line from a privacy point of view, and the idea that the US FBI and DoJ have sent control commands to infected machines may make some people nervous. This is the first known implementation in the US of using the botnet against itself.

A similar technique was used by Dutch law enforcement authorities against the "Bredolab" botnet, in which "good" software developed by Dutch authorities was automatically downloaded and executed on infected computers. This software was designed to notify the users of their malware infection.

“As a staunch privacy advocate, I believe that the infected computer owner’s privacy had been already violated by the malware and the botnet operators.” Stewart continued.

“In the ‘protect and serve’ aspect of their mission, my view is that the FBI sought to back the US citizen’s privacy and protect the affected individual”, “infected computers were now controlled by the good guys, and the good guys were only allowed to respond to communications requests and tell the computers to stop running the malware”.

In the request, the US government wrote “Based upon technical evaluation and testing, the Government assesses that the command sent to the Coreflood software to stop running will not cause any damage to the victim computers on which the Coreflood software is present, nor will it allow the Government to examine or copy the contents of the victim computers in any fashion”.

“Should the Government inadvertently acquire the content of any communication, it will destroy such communication upon recognition,” the government asserted.

By Tuesday afternoon in the US it was all over. Microsoft have updated its free Malicious Software Removal Tool and released the MSRT April ‘11 Win32/Afcore advisory found at https://cloudblogs.microsoft.com/microsoftsecure/?m=20114?source=mmpc, and a number of anti-malware vendors have released information to their customers regarding Coreflood.

The possible impact of the botnet is wide ranging. According to the US government filing between March 2009 and January 2010, one Coreflood command-and-control server held about 190 gigabytes of data stolen from more than 400,000 victim computers.

“This story could be very different: one in which authorities are overstepped, privacy invaded, or computers damaged. But this situation was all handled through the US Judicial system and these concerns all seem addressed by the limits in what the FBI was authorised to do."

"I tip my hat to the DoJ, FBI, Judge Vanessa Bryant for her decision, and the combined efforts that helped disrupt another botnet from continuing to steal private information and setting the stage for future, nefarious operations.” Stewart concluded.