FBI May Hunt Down and Destroy Botnets in Zombie PCs

The FBI has requested and received a preliminary injunction from a U.S. district judge to continuing issuing “stop” commands to the zombie machines infected with the Coreflood botnet. It is an essential step that is part of the agency’s dramatic takedown of the botnet’s command-and-control system earlier this month, an agent said in written testimony.

In mid-April, the FBI seized five command-and-control servers and 29 domain names registered in the United States and then obtained a temporary restraining order to intercept signals — that is, issue stop commands — from any other C&C servers handling the botnet. It was the first time the agency took such steps against a botnet.

That was only meant to be a temporary measure to keep Coreflood from reconstituting itself elsewhere. Toward that end, the FBI proposed another radical move in its court plea: tracking down the individual owners of the zombie PCs that have been hijacked by Coreflood and uninstalling the malware, with their permission.

“Removing Coreflood in this manner could be used to delete Coreflood from infected computers and to ‘undo’ certain changes made by Coreflood to the Windows operating system when Coreflood was first installed,” special agent Briana Neumiller wrote. “The process does not affect any user files on an infected computer, nor does it require physical access to the infected computer or access to any data on the infected computer.”

Ball Is Rolling

It would be a complex procedure. First, the agency would have to identify the machines, a time-consuming process that would entail combing millions of IP addresses and correlating them to ISP records. For computers located outside of the U.S., it would have to involve foreign authorities.

In fact the FBI’s operations are already under way, Neumiller said in her testimony. Of the IP addresses in the United Statesassigned to an identifiable entity, it has identified approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or healthcare companies; and hundreds of businesses infected with the malware. Local field offices are contacting these entities.

Recipe for Success?

The number of signals being sent from infected computers in the U.S. has dropped from nearly 800,000 to fewer than 100,000 since the takedown, Neumiller also testified. Signals from infected computers outside the U.S. have dropped about 75 percent.

It has been a successful mission so far, but the FBI is not likely to follow this same road map in future takedowns, said spokesperson Jenny Shearer.

“Each case has to be considered on its own and evaluated,” she told TechNewsWorld.

Ever-Evolving Story

It wouldn’t make sense for the FBI to repeat its enforcement actions anyway, Andres Kohn, vice president for technology and product management at Proofpoint, told TechNewsWorld. “What they are doing is a great step in the right direction, but malware writers will always be playing cat and mouse with law enforcement. You can be sure that the next generation of botnets built will include controls so that the C&C servers can’t be seized like this.”

There is also the question of whether the botnet can even be removed from every single computer in the first place. There is significant infection activity elsewhere in the world, noted Paul Moriarty, CEO of Umbra Data, and even if a handful of zombie computers remain, a botnet can rebuild itself.

There is also a psychological aspect of having the FBI contact you to ask to erase malware from the computer.

“There would be privacy concerns by some people,” Moriarty told TechNewsWorld.

Plus, the individuals would have to acknowledge that it might be possible they would lose their data — which would cause more people to decline, he speculated. “I don’t think the average person realizes how pervasive or dangerous botnets can be, so if they hear they might lose their data, they might not want to participate.”

Still, the efforts the government has made in this takedown have been nothing short of amazing, Alan Johnston, a Washington University adjunct instructor, told TechNewsWorld. “In the past, law enforcement has paid little attention to this cybercrime. Most of the times when hackers get caught, it’s because of happenstance, or vigilantes have gotten involved. This participation is definitely unprecedented.”


  • doctordawg – The way I was reading the article, it would not be an Email. That would be the absolute LAST thing I would click on. It sounded to me like they would be using phone or snail mail to contact zombie owners and from there they would possibly be directed to a web site.


    There is also a psychological aspect of having the FBI contact you to ask to erase malware from the computer.

    "There would be privacy concerns by some people," Moriarty told TechNewsWorld.


    If I were contacted by the FBI through Email, I would assume it to be a phishing attempt and ignore it. There would be ZERO psychological effect on me.

    The privacy concerns would be from the FBI contacting ISPs and getting phone numbers and/or addresses to contact users in a way they would believe.

    Personally, I would WANT to be contacted and handed a solution to being infected by a botnet. There is a slim chance of my being infected, but if it happened then I need to rethink my security setup on my system and fix it. I would be thankful for the heads-up. I want to be part of the solution rather than part of the problem.

    The privacy issues are outweighed by being part of the large and growing problem of malware. When an infected system is spreading either the infection itself or the "payload", it needs to be stopped. The FBI should be restricted to collecting only the info needed to properly contact the owner of the account (name, address and phone). History has proven that users as a whole, with relatively few exceptions, cannot be relied upon to keep their own systems clean. They need to be helped.

    Another possible solution would be to push some code through Microsoft Update to check for this particular zombie on patch Tuesday. If it is found, display a message or link directing the user to a site that would get permission and help clean the infected system. No more privacy issue…

  • What is so difficult about tracking down and collating millions of IP addresses? The FBI simply needs to hire the RIAA for the job. The RIAA has proven time and again they can track down even the most neophyte grandmother and single working mom to serve with a lawsuit.

  • So, when I see a randomly timed alert from "the FBI" to access my computer and delete stuff from across the internet, I should click "Sure – Go Ahead" – right?

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels