For the first time ever, the US government has attempted to take down a botnet by setting up a substitute control channel that temporarily disables the underlying malware running on hundreds of thousands of infected end user computers.
The move, announced Wednesday after federal prosecutors seized domain names, IP addresses and servers operated by the operators, is intended to cut the head off a notorious botnet known as Coreflood, which has infected more than 2 million Windows machines since 2002. During and 11-month period starting in March 2009, Coreflood siphoned some 190 GB worth of banking passwords and other sensitive data from more than 413,000 infected users as they browsed the net, authorities said.
In a step never before taken in the US, federal prosecutors have obtained a court order allowing them to set up a substitute command and control server that will direct infected machines to temporarily stop running the underlying malware. The substitute instructions will have to be issued continuously for the foreseeable future because infected machines are automatically programmed to be reload Coreflood each time they are restarted.
“Issuing the stop command to the Coreflood software will further limit the ability of the operators of the botnet to regain control of the botnet through a variety of illegal means,” prosecutors wrote in a motion filed Tuesday for a court order to take over the C&C server. “Indeed, failure to issue the stop command will increase the likelihood that the operators of the botnet will be able to successfully regain control of some part of their illicit network.”
Prosecutors also obtained an order to log the IP addresses of all computers that report to the substitute C&C server. The government attorneys will then work with the underlying ISPs to track down each end user so he can be informed of the infection and be instructed how to use various antivirus products to disinfect the compromised machine.
According to the court filing, no US law enforcement authority has ever sought court permission to control a seized botnet using a substitute C&C server. Dutch officials took a similar approach last year when they beheaded the Bredolab botnet, another network of infected machines used to steal vast amounts of financial information from its victims.
The novel legal move came in a lawsuit prosecutors filed against 13 Coreflood operators named only as John Does because their true identities are unknown. It accuses them of engaging in wire fraud, bank fraud and illegal interception of electronic communications. The complaint and accompanying motions weren't unsealed until Wednesday, when the temporary restraining order they requested was granted.
The order gives the feds control over two IP addresses (22.214.171.124 and 126.96.36.199) and 29 domain names used to run the Coreflood C&C server. It also grants feds authority to use a “trap and trace” device to capture the IP addresses of the compromised computers.
The motions recited a litany of invasions into the online comings and goings of those infected by the Coreflood malware. They included an unnamed defense contractor in Tennessee. After obtaining the online credentials from the firm's bank account, the operators managed to steal almost $242,000 from the firm after attempting to transfer more than $934,000. A North Carolina investment company lost more than $151,000.
According to security researcher Joe Stewart of Secure Works, Coreflood started out as platform for launching DDoS, or distributed denial-of-service, attacks, but soon moved on to financial crime. Eventually, the botnet was able to compromise accounts even when they used two-factor authentication schemes such as those that rely on a physical token that generates one-time passwords.
It's impossible to know exactly how many victims have been claimed by Coreflood, because machines are constantly being infected, disinfected, and in some cases, reinfected. While investigators counted 413,710 infected machines from March 2009 to January 2010, the total number of machines that were, or had been, part of Coreflood is more than 2.3 million, with more than 1.8 million of them appearing to be located in the US.
The substitute C&C will be operated by the non-profit Internet System Consortium, with additional assistance coming from Microsoft.