Another Botnet Takedown: Coreflood Bites the Dust!
Wed, Apr 13, 2011 by David LaMacchia
Quickly following the Rustock Botnet takedown (see “Will Microsoft’s Takedown of Rustock Drive Spammers Outside the United States?”), the Department of Justice and the FBI, again in coordination with Microsoft, have taken the Coreflood Botnet offline. Coreflood, a trojan able to conduct massive Denial of Service attacks, also steals sensitive information from an infected computer. It has been around since at least 2002. Stolen information included usernames and passwords for bank accounts, credit cards, email accounts, and more.
The press release from the Department of Justice says that today’s actions are the result of a collaboration between Microsoft, the US Marshals, and the FBI as part of an ongoing investigation. Much like the Rustock Botnet takedown, a temporary restraining order (TRO) as part of a civil investigation seems to have been used by the US Marshals to seize Command and Control machines from a number of hosting facilities in the United States.
There is a big, very interesting, difference between this action and the Rustock takedown. The government has been granted, by the TRO, the ability to signal infected botnet hosts and essentially deactivate Coreflood without permission from the owner of the infected host. The owner has the ability to “opt out” of the TRO and say they don’t want the government to deactivate Coreflood. Per the press release, the DOJ and the FBI will attempt to notify users whose computers are infected with Coreflood. “At no time,” continues the press release, “will law enforcement authorities access any information that may be stored on an infected computer.”
If Coreflood is truly offline this marks another significant victory by Microsoft’s collaboration with the US Marshals and is more evidence of the value of strategic offensive action.