The United States Department of Justice (DoJ) and the Federal Bureau of Investigation have hammered the Coreflood botnet, which its owners used to conduct cyberfraud on a massive scale.
They have seized five command and control (C&C) servers and 29 domain names registered in the United States, obtained a temporary restraining order that lets the government intercept signals from any other C&C servers handling the botnet, and filed a civil complaint against 13 John Does over the botnet.
“The complaint does say that the individuals are foreign nationals, and all I can say is that we’re working with governments overseas,” DoJ spokesperson Laura Sweeney told TechNewsWorld.
U.S. officials will continue attacking the Coreflood botnet and the people behind it. However, this doesn’t necessarily mean the botnet will be eradicated completely.
The chances that Coreflood will rise again are “almost 100 percent,” Dave Marcus, research and communications director at McAfee Labs, told TechNewsWorld.
“Any receding is just a short-term gain, but that’s the nature of fighting cybercrime,” Marcus explained. “This should not minimize the value of the FBI’s taking down the botnet; it’s still very important to the fight against cybercrime,” he added.
The Complaint Against Coreflood
The DoJ and FBI have filed a civil action against the people behind the Coreflood botnet in the United States District Court, District of Connecticut.
This was filed under Title 18 of the United States Code, which deals with crimes and criminals. Two sections of Title 18 — Section 1345, which deals with injunctions against fraud, and Section 2521, which is an injunction against illegal interception — were cited in the complaint.
The complaint stated that the servers assigned IP addresses 126.96.36.199 and 188.8.131.52 were Coreflood C&C servers.
In or about February 2010, approximately 2.3 million computers were or had been part of the Coreflood botnet, the complaint states. About 1.86 million of them were apparently in the United States; the rest were scattered around the world.
The defendants are subject to the personal jurisdiction of the U.S. District Court in the District of Connecticut because they used infected computers throughout the U.S. as part of the Coreflood botnet, the complaint reads.
The botnet used keystroke loggers to commit financial fraud, stealing online banking credentials, passwords and other data of victims in order to direct fraudulent wire transfers from their bank accounts, according to the complaint.
The full extent of the financial losses caused by the Coreflood botnet is not known, partly because of the large number of infected computers and the quantity of stolen data, the complaint states.
U.S. Government Action
In addition to seizing five servers and 29 domain names in the United States, the DoJ has filed a temporary restraining order (TRO) that lets it intercept commands from the Coreflood botnet’s C&C servers to victims’ PCs.
Here’s how the interception works: U.S. law enforcement sets up a substitute server at the Internet Systems Consortium or any other Internet hosting provider. This will respond to requests addressed to the Coreflood botnet’s domains by issuing instructions that will stop the Coreflood software on infected PCs from running.
The TRO instructs the defendants, their agents and representatives, and anyone acting under their direction or control, including domain service providers, to redirect Internet traffic addressed to the Coreflood domains to the substitute server instead.
Further, the TRO instructs domain name registrars and registries to set the authoritative DNS name servers to the IP address 184.108.40.206 or other IP addresses as directed by FBI special agent Kenneth Keller. It also instructs them to lock any account associated with the botnet’s Internet domain names to prevent any change, transfer or deletion of the account.
These instructions pertain only to victims’ PCs in the United States.
The DoJ has also filed a complaint against 13 John Does.
Whether the U.S. government can get its hands on the people behind the botnet remains open to question, as American law enforcement agencies have historically had problems working with their overseas counterparts.
FBI Director Robert Mueller called on the establishment of an international standard for dealing with cybercriminals at the RSA Security Conference in 2010. Cybercriminals can operate easily across national borders while law enforcement cannot because of jurisdictional and legal issues and other differences, he said.
There are several products and services that can detect botnet C&Cs, Scott Crawford, managing research director at Enterprise Management Associates, told TechNewsWorld.
These include Damballa, FireEye and ipTrust, Crawford said.
Botnets don’t need to exploit a vulnerability in order to take over a computer, McAfee’s Marcus warned.
“A vulnerability is just one of a dozen ways to exploit a botnet,” Marcus explained. “You can download them via email attachments, for example,” he said.
Consumers can protect themselves by ensuring they update their antivirus software and running scans to make sure their PCs aren’t running malware, the DoJ’s Sweeney said.