FBI May Hunt Down and Destroy Botnets in Zombie PCs
Apr 27, 2011 3:26 PM PT
The FBI has requested and received a preliminary injunction from a U.S. district judge to continuing issuing "stop" commands to the zombie machines infected with the Coreflood botnet. It is an essential step that is part of the agency's dramatic takedown of the botnet's command-and-control system earlier this month, an agent said in written testimony.
In mid-April, the FBI seized five command-and-control servers and 29 domain names registered in the United States and then obtained a temporary restraining order to intercept signals -- that is, issue stop commands -- from any other C&C servers handling the botnet. It was the first time the agency took such steps against a botnet.
That was only meant to be a temporary measure to keep Coreflood from reconstituting itself elsewhere. Toward that end, the FBI proposed another radical move in its court plea: tracking down the individual owners of the zombie PCs that have been hijacked by Coreflood and uninstalling the malware, with their permission.
"Removing Coreflood in this manner could be used to delete Coreflood from infected computers and to 'undo' certain changes made by Coreflood to the Windows operating system when Coreflood was first installed," special agent Briana Neumiller wrote. "The process does not affect any user files on an infected computer, nor does it require physical access to the infected computer or access to any data on the infected computer."
Ball Is Rolling
It would be a complex procedure. First, the agency would have to identify the machines, a time-consuming process that would entail combing millions of IP addresses and correlating them to ISP records. For computers located outside of the U.S., it would have to involve foreign authorities.
In fact the FBI's operations are already under way, Neumiller said in her testimony. Of the IP addresses in the United States assigned to an identifiable entity, it has identified approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or healthcare companies; and hundreds of businesses infected with the malware. Local field offices are contacting these entities.
Recipe for Success?
The number of signals being sent from infected computers in the U.S. has dropped from nearly 800,000 to fewer than 100,000 since the takedown, Neumiller also testified. Signals from infected computers outside the U.S. have dropped about 75 percent.
It has been a successful mission so far, but the FBI is not likely to follow this same road map in future takedowns, said spokesperson Jenny Shearer.
"Each case has to be considered on its own and evaluated," she told TechNewsWorld.
It wouldn't make sense for the FBI to repeat its enforcement actions anyway, Andres Kohn, vice president for technology and product management at Proofpoint, told TechNewsWorld. "What they are doing is a great step in the right direction, but malware writers will always be playing cat and mouse with law enforcement. You can be sure that the next generation of botnets built will include controls so that the C&C servers can't be seized like this."
There is also the question of whether the botnet can even be removed from every single computer in the first place. There is significant infection activity elsewhere in the world, noted Paul Moriarty, CEO of Umbra Data, and even if a handful of zombie computers remain, a botnet can rebuild itself.
There is also a psychological aspect of having the FBI contact you to ask to erase malware from the computer.
"There would be privacy concerns by some people," Moriarty told TechNewsWorld.
Plus, the individuals would have to acknowledge that it might be possible they would lose their data -- which would cause more people to decline, he speculated. "I don't think the average person realizes how pervasive or dangerous botnets can be, so if they hear they might lose their data, they might not want to participate."
Still, the efforts the government has made in this takedown have been nothing short of amazing, Alan Johnston, a Washington University adjunct instructor, told TechNewsWorld. "In the past, law enforcement has paid little attention to this cybercrime. Most of the times when hackers get caught, it's because of happenstance, or vigilantes have gotten involved. This participation is definitely unprecedented."