Coreflood botnet take-down by DOJ

Any research, news or information regarding the wide variety of techniques criminals use to take over your computers or web servers.

US FBI Shutdowns Coreflood Botnet

Postby meep » Wed Apr 13, 2011 7:06 pm

Hot off the presses: :)

http://www.justice.gov/opa/pr/2011/Apri ... m-466.html

FOR IMMEDIATE RELEASE
Wednesday, April 13, 2011
Department of Justice Takes Action to Disable International Botnet
More Than 2 Million Computers Infected with Keylogging Software as Part of Massive Fraud Scheme

WASHINGTON - Today the Department of Justice and FBI announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order as part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet. ...
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Coreflood botnet take-down by DOJ

Postby Red Dwarf » Wed Apr 13, 2011 7:10 pm

Ref: http://www.justice.gov/opa/pr/2011/Apri ... m-466.html
PRESS RELEASE
Wednesday, April 13, 2011
Department of Justice Takes Action to Disable International Botnet
More Than 2 Million Computers Infected with Keylogging Software as Part of Massive Fraud Scheme

In the enforcement actions announced today, five C & C servers that remotely controlled hundreds of thousands of infected computers were seized, as were 29 domain names used by the Coreflood botnet to communicate with the C & C servers. As authorized by the TRO, the government replaced the illegal C & C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties.


This looks like an action undertaken solely by the DOJ and FBI, with assistance from other players. It is pleasing to see the botnet problem being taken seriously.

The law enforcement actions announced today are the result of an ongoing criminal investigation by the FBI’s New Haven Division, in coordination with the U.S. Marshals Service. Additional assistance was provided by Microsoft, the Internet Systems Consortium and other private industry partners.


Coreflood (aka Win32/Afcore family) has been around since 2001, came into prominence in 2008, but has been off the radar of cyber-media attention. Here are 2 background articles from 2008
http://www.zdnet.co.uk/news/security-th ... -39547401/
http://www.zdnet.co.uk/news/security-ma ... -39458724/
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Coreflood botnet take-down by DOJ

Postby Red Dwarf » Wed Apr 13, 2011 7:23 pm

Not only was there a seizure of the command and control center system but commands were sent to the slaves to stop sending stolen financial data.

Ref: http://www.reuters.com/article/2011/04/ ... NQ20110413
U.S. government programmers shut down the Coreflood botnet on Tuesday. They also instructed the computers enslaved in the botnet to stop sending stolen data and to shut down. A similar tactic was used in a Dutch case, but it was the first time U.S. authorities had used this method to shut down a botnet, according to court documents.
(My emphasis added)

I await the howls of protest and accusations of officialdom's cyber-burglary from the likes of the EFF and other effete dweebs that bleat "freedom" without yet acquiring the word "responsibility" into their vocabulary.. But the howls should be lost in the wind. Wake up to the new, responsible form of crime fighting empowerment. It's the only way.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Coreflood botnet take-down by DOJ

Postby Red Dwarf » Wed Apr 13, 2011 7:56 pm

Ref: The actual temporary restraining order

* The ISC has the right to substitute for the C&C servers, computers with software that will respond to the infected machines' requests, with a command to stop sending and to shut down the Coreflood program. When an infected machine is rebooted, the shutdown response will be repeated.

* Microsoft has today updated the MSRT - Malicious Software Removal Tool free scanner to detect and remove the Coreflood bot infection.

* The US Government has the list of IP addresses for infected machines, and will provide those to the responsible ISPs.

This is all included in the restraining order. It makes very interesting reading, and represents a significant breakthrough in cybercrime law enforcement, especially considering that the infected machines will be spread over every geographical region around the world. Currently however, it would seem that the responses will be limited to US domestic infections. A new dawn has broken on the Internet.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Coreflood botnet take-down by DOJ

Postby AlphaCentauri » Wed Apr 13, 2011 9:25 pm

The correct response to any concern about the government reprogramming your computer is to prevent/remove the malware that allows random strangers (including any and all governments) access to your computer.

It's like allowing the local drug dealers to take the doors off your house and start selling heroin from your living room, then complaining when the cops neatly replace your doors and locks so the dealers can't get in anymore. Be happy the city didn't seal your house with concrete so you can't let any more bad guys set up shop in your house. (I imagine a lot of us who have had the task of removing malware from relatives' computers during family visits have been sorely tempted to try the latter approach. :twisted:)
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Coreflood botnet take-down by DOJ

Postby AlphaCentauri » Wed Apr 13, 2011 9:29 pm

This got posted in two threads simultaneously, so I merged them.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Coreflood botnet take-down by DOJ

Postby trobbins » Thu Apr 14, 2011 11:31 am

User avatar
trobbins
Spammers' Nightmare
 
Posts: 2556
Joined: Thu Apr 12, 2007 6:55 pm

Re: Coreflood botnet take-down by DOJ

Postby spamislame » Thu Apr 14, 2011 12:41 pm

Also slashdotted:

http://yro.slashdot.org/story/11/04/13/ ... ack-Botnet

This is great news (although from first notice in 2005 to 2011 is a bit of a long wait for this action.)

:silthumb:

SiL
User avatar
spamislame
Site Admin
 
Posts: 5057
Joined: Tue May 09, 2006 9:18 am

Re: Coreflood botnet take-down by DOJ

Postby meep » Fri Apr 15, 2011 12:30 pm

Brian Krebs:

Noting who outside of the US government helped with this (good job, everyone) - I would bet there are others, so this is great co-operation. :)

http://krebsonsecurity.com/2011/04/u-s- ... od-botnet/

... Andrew Fried, a botnet expert who runs Deteque, a security consultancy in Alexandria, Va., said the action was a long time coming, but he applauded the feds for making it happen. “We finally saw exactly how effective law enforcement and our judicial system can be when they attack problems using strategic rather than political methods,” Fried said.

Greene said the job now falls to ISPs, security firms, and Microsoft to help clean up the pool of PCs that remain infected with Coreflood. Microsoft this week shipped an update to remove Coreflood from Windows machines of users who take advantage of the Malicious Software Removal Tool, an anti-malware tool offered through Windows Updates and Automatic Update that looks for and removes many families of infectious software.

Some readers may be alarmed by this news because they are wary of any government actions that involve access to individual computers. Wired.com’s Kim Zetter writes that the Electronic Frontier Foundation is uneasy with the government’s move, which called it “an extremely sketchy action to take.” However, as noted cybercrime expert Gary Warner points out in his blog, the government is offering computer users affected by the this week’s takedown the option to “opt out” of the terms of the temporary restraining order. ...
User avatar
meep
Spammers' Nightmare
 
Posts: 2777
Joined: Thu Apr 05, 2007 4:10 pm

Re: Coreflood botnet take-down by DOJ

Postby Nodus » Sat Apr 16, 2011 11:42 am

Red Dwarf wrote:I await the howls of protest and accusations of officialdom's cyber-burglary from the likes of the EFF and other effete dweebs that bleat "freedom" without yet acquiring the word "responsibility" into their vocabulary.. But the howls should be lost in the wind.

No they shouldn't. Without any such watchdogs this precious world of ours would have been an Orwellian one for decades already, and you know it as well as I do. Feel free to mock them, but it doesn't make them unnecessary.

While I welcome the actions of the U.S. authorities in this particular case, I also welcome the existance and many actions of their critics, be they the local or international media, or human right activists like EFF. And while you may be OK with the actions of (your/my/their) current government, you never know what it may turn into — the future ones will still have at least the same capabilities. Governments should always be kept on their toes, or we will all be living in North Korea before we would even notice. Never overestimate the responsibility of a government.

Freedom is and will always be a two-edged sword. Forgetting responsibility will make it collapse, but so will abundant control, simply because power corrupts.

Just a few more "howls" from another "effete dweeb", which you can of course "lose in the wind" if you like.
Arf, she said
User avatar
Nodus
Spammer Obliterator
 
Posts: 2285
Joined: Fri Jun 15, 2007 7:05 pm

Re: Coreflood botnet take-down by DOJ

Postby AlphaCentauri » Sat Apr 16, 2011 2:21 pm

The impression I'm getting is that it's not so much a case of EFF having a problem with what was done. They wanted to register an objection rather than let the matter pass without comment and have future actions become increasingly invasive.

One could make an argument that anyone who let the botnet controllers see everything on his hard drive couldn't possible object to the US Department of Homeland Security taking a look around too, or that the US government is under no obligation to extend privacy protections to computer owners outside the US. This is the same agency that claimed the right to wiretap phone conversations of US citizens (including legislators) without obtaining warrants, as long as the other party to the conversation was not in the US.
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Coreflood botnet take-down by DOJ

Postby MyCanadian Spammerdeath » Sat Apr 16, 2011 10:02 pm

I don't know anybody at the ISC. I'm certain I wouldn't want anyone at Microsoft nor any of my ISPs examining all my files, not that I've anything to hide. But, still. With a clear opt-out available - an option that only non-criminals are likely to exercise - the ISC may or may not be a trustworthy cyberpathologist. I just don't know, and I'm glad that the EFF is on record for having concerns or reservations. By providing the opt-out mechanism this court appears to give considerable weight to such concerns, as it should.
Only on our site you will find a SPICE under the comprehensible prices!
MyCanadian Spammerdeath
Spammer Exterminator
 
Posts: 1144
Joined: Mon Feb 26, 2007 11:13 pm

Re: Coreflood botnet take-down by DOJ

Postby Red Dwarf » Fri Apr 29, 2011 8:19 pm

The next step:

Ref: http://www.computerworld.com/s/article/9216199/Feds_to_remotely_uninstall_Coreflood_bot_from_some_PCs
April 27, 2011
Feds to remotely uninstall Coreflood bot from some PCs
Users must sign consent form before FBI tells malware to delete itself
On Monday, U.S. District Court Judge Vanessa Bryant granted the DOJ's request for a preliminary injunction. It expires May 25.

The FBI has also identified infected computers, and in some cases has linked names to the static IP addresses. Those are the PCs targeted for remote Coreflood eradication.

"While the proposed preliminary injunction is in effect, the Government also expects to uninstall Coreflood from the computers of Identifiable Victims who provide written consent," said the DOJ in the memo.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am

Re: Coreflood botnet take-down by DOJ

Postby AlphaCentauri » Fri Apr 29, 2011 9:00 pm

The next step may be that ISPs start requiring subscribers to consent in advance to that sort of procedure in order to reduce their burden of infected machines on dynamic IP ranges, the way people currently allow their antivirus software to automatically disinfect things.

That could get ugly some day if they delete the wrong root kit files from a large number of users, as occasionally has happened with AV programs and even Microsoft updates. (If I were a malware creator, I'd be trying to incorporate poison pills in my software, just to create backlash against this sort of effort.)
User avatar
AlphaCentauri
You are kiillllling-a my bizinisss!
 
Posts: 5989
Joined: Thu Mar 01, 2007 3:01 am

Re: Coreflood botnet take-down by DOJ

Postby Red Dwarf » Wed May 25, 2011 5:53 pm

The next step has been taken - by Microsoft: From an article in SearchSecurity
Microsoft has issued an out-of-band update to itsMalicious Software Removal Tool, bolstering its ability to detect Coreflood botnet infections and step up Coreflood removal.
..
The Coreflood botnet is a serious threat to corporate networks because cybercriminals have designed it to target networks hosting multiple computers. Once infected, the botnet acts as a vacuum cleaner, using a keylogger to record key strokes, sucking up financial data and sensitive company information, including intellectual property.
User avatar
Red Dwarf
You are kiillllling-a my bizinisss!
 
Posts: 10542
Joined: Tue Jun 27, 2006 2:01 am


Return to Botnets, Hijacks and Hacking

Who is online

Users browsing this forum: No registered users and 1 guest

cron