FBI Employs New Botnet Eradication Tactics
The US government has taken a novel approach to fighting botnets that it hopes will be a model for combating these security threats in the future. As part of Operation Adeona, the US Justice Department and the Federal Bureau of Investigation (FBI) obtained a restraining order and seized the servers hackers used to run the Coreflood botnet, which at one time consisted of 2.3 million infected computers.
During the operation, the FBI redirected afflicted computers to a substitute command and control (C&C) server, which directed computers infected in the US to uninstall the Coreflood software. "These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure," said Shawn Henry, executive assistant director of the FBI's Criminal, Cyber, Response, and Services branch in a statement.
This is the first time a US law enforcement agency has used this tactic. Microsoft employed similar tactics in taking down Rustock, and Dutch authorities used it in taking down Bredolab.
"In this case, law enforcement disrupted the botnet without affecting other services in a surgically beautiful way with the backing of the court," said Eugene Schultz, CTO of Emagined Security, a security solutions vendor.
A Long History
Coreflood was first detected in 2002. The basic software opens a door on the host computer for various malware packages, such as key logging software designed to steal banking credentials. The Coreflood malware was programmed to receive updates from the C&C servers on a regular basis. New versions of the botnet software have been regularly released to stay ahead of anti-virus software updates.
"The full extent of the financial loss caused by the Coreflood botnet is not known, due in part to the large number of infected computers and the quantity of stolen data," wrote US FBI special agent Kenneth Keller in an affidavit to the court. However, the botnet was responsible for significant financial losses in numerous cases, such as a real estate company in Michigan that lost $115,771 and a law firm in South Carolina that lost $78,421.
On 13 April, the US Justice Department filed civil complaints against 13 unidentified defendants and received a temporary restraining order allowing it to take control of the domain names, replace the C&C servers with substitutes, and issue Coreflood uninstall commands to infected computers.
The FBI also worked with Microsoft and antivirus vendors to ensure detection of the last known variant of Coreflood, released between 1 and 12 April. Microsoft added Win32/Afcore (Coreflood) detection to its Malicious Software Removal Tool. More than 20 antivirus vendors were able to recognize the latest version of Coreflood.
During the course of the offensive, the FBI seized 29 domain names that pointed to several C&C servers used by hackers to infect computers. During the takedown, the FBI redirected all 29 domain names to a single C&C server, which it used to issue uninstall commands to computers in the US until the servers were turned off 16 June.
"The FBI has issued approximately 19,000 uninstall commands to infected computers of approximately 24 Identifiable Victims, none of whom have reported any adverse or unintended consequences from the uninstall commands," wrote Keller.
FBI monitoring indicates that Coreflood botnet activity has dropped 95 percent from its peak levels before the takedown. "While the Coreflood software will continue to run on still-infected computers once the substitute server is taken out of operation," Keller wrote, "the seizure of the Coreflood Domains will continue reasonably to prevent the Defendants from obtaining access to those computers or to data stolen from those computers."
Securing the Future
As the government begins taking a more active role in eradicating malware, there are some concerns about the abuses these practices might promote in the future. "There is some question about how far law enforcement should be allowed to go in stopping security threats," Schultz said. "The FBI has gained new power without a court challenge. Where will they stop now? They have been emboldened in a new way."
In the long run, Schultz believes that more international law enforcement authorities must cooperate more as cyber crime techniques evolve. Future botnets could become more distributed, making them harder to take out from within a single country. Law enforcement agencies might then have to consider measures such as rerouting traffic around crime syndicates or launching distributed denial of service attacks on known criminal sources in a true information warfare manner, which could blur the line between fighting cyber crime and cyber warfare.
George Lawton is a freelance journalist based in Guerneville, CA. Contact him at firstname.lastname@example.org.