Deprecated: Function create_function() is deprecated in /home/hidefide/public_html/blog/wp-content/plugins/wr-pagebuilder/core/core.php on line 127
{"id":47,"date":"2011-04-19T17:41:21","date_gmt":"2011-04-19T17:41:21","guid":{"rendered":"https:\/\/icaruspressblog.wordpress.com\/?p=47"},"modified":"2019-04-17T12:26:29","modified_gmt":"2019-04-17T12:26:29","slug":"u-s-authorities-pull-the-plug-on-major-botnet-2-million-zombie-pcs-rejoice-sort-of","status":"publish","type":"post","link":"https:\/\/hidefideas.com\/blog\/2011\/04\/19\/u-s-authorities-pull-the-plug-on-major-botnet-2-million-zombie-pcs-rejoice-sort-of\/","title":{"rendered":"U.S. Authorities Pull the Plug on Major Botnet, 2 Million Zombie PCs Rejoice (Sort Of)"},"content":{"rendered":"

$\"Cyber-Network-Attacks\"$ If the US government\u2019s recent actions are any indication, things are fiercely heating up in the ongoing war against spam. Mere weeks ago, Microsoft, with the aid of the US Marshall Service and a Federal warrant, took down the Rustock botnet<\/a>, and in the past few weeks we\u2019ve seen a decline in the number of spam emails by a third (supposedly \u2013 read to the end to get my take on things). Less than a month after Rustock went dark, US Federal prosecutors and the US Department of Justice have struck another blow for (what else?) justice.<\/p>\n

On April 13th, the US Department of Justice and Federal Bureau of Investigation announced that they have disabled an international botnet infecting more than 2 million computers and responsible for the theft of corporate data, user account details and financial information. The DoJ released a press release detailing their takedown of Coreflood, malicious code that exploits security vulnerability in Windows operating systems. From the FBI website<\/a>: \u201cCoreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.“<\/em><\/p>\n

Coreflood, according to court filings, is a nasty piece of malicious code that records keystrokes and monitors private communications. One a computer has been infected, it becomes part of the botnet, which is remotely controlled by Coreflood\u2019s C & C servers. The Coreflood botnet is believed to have been operating for nearly a decade, infecting more than two million computers around the world. The malware then steals user names, passwords and other private information, \u201callegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts,\u201d the DoJ press release<\/a> reports. Court filings released by the DoJ describe one example where Coreflood was able to take over an online banking session and fraudulently transfer funds into a foreign account by monitoring Internet communications between a user and the user\u2019s bank.<\/p>\n

In order to effect the takedown, the US Attorney\u2019s office for the District of Connecticut filed a civil complaint against 13 \u2018John Doe\u2019 (i.e., unnamed) defendants and executed criminal seizure warrants along with a temporary restraining order, all of which comprise, \u201cpart of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet,\u201d according to the government\u2019s website. The complaint filed by the DoJ alleged that the defendants engaged in wire fraud, bank fraud and the illegal interception of electronic communications.<\/em><\/p>\n

In addition to the civil complaint filed with the <\/em>U.S. District Court for the District of Connecticut, <\/em>the FBI seized five command and control servers scattered across the country and 29 domain names used by Coreflood. According to the <\/em>DoJ<\/em>, the<\/em> TRO, authorized the government, \u201cto respond to signals sent from infected computers in the United States in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the United States.\u201d The FBI also established 5 sinkhole servers to control the flow previously handled by Coreflood. All this action hasn\u2019t removed the malicious code from the zombie computers, a daunting task that the FBI admits will take time and cooperation from those infected. Along with participating Internet Service Providers, the DoJ and FBI will be notifying infected users in order to help clean the infection.<\/p>\n

Oddly enough, the government press release also states that, \u201cidentified owners of infected computers will also be told how to “opt out” from the TRO,\u201d if for some strange reason infected owners want to keep Coreflood running on their computers. For the paranoid who don\u2019t particularly relish the idea of having the federal government poking around inside their computers, the DoJ provided an assurance that, \u201cat no time will law enforcement authorities access any information that may be stored on an infected computer.\u201d<\/p>\n

The bad news is that, as of the writing of this article, the FBI\u2019s offer to help infected users only applies to PCs in the US, so international users are out of luck. The DoJ press release does point to a US Computer Emergency Response Team (US-CERT)<\/a> information site which provides detail on Coreflood and the Microsoft updates required to immunize against the malware.<\/p>\n

\u201cThe seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,\u201d stated US Attorney David B. Fein of the District of Connecticut, where the complaint was filed. \u201cI want to commend our industry partners for their collaboration with law enforcement to achieve this great result.\u201d<\/p>\n

So, chalk up another victory for the good guys, right? Maybe, but even with the recent takedown of Rustock and now the malicious botnet known as Coreflood, it seems like there is much more work to be done. I don\u2019t know if it\u2019s coincidence or not, but since my recent article<\/a> on how spam has been reported to be significantly reduced since Microsoft took out Rustock, the spam arriving in my inbox seems to have increased<\/em>. Significantly. I\u2019d certainly be interested in hearing anyone else\u2019s recent experience. Are these good news stories and affirmative action reason to be optimistic, or are law enforcement agencies only sticking their fingers in one hole in the dike, only to see two more holes spring up elsewhere?<\/p>\n","protected":false},"excerpt":{"rendered":"