In an unprecedented legal strike, the FBI and the Department of Justice have taken down the “Coreflood” botnet, a massive international network of more than two million infected computers used to clean out bank accounts and steal sensitive corporate data and financial information.
The U.S. Attorney’s Office in Connecticut issued a seizure warrant yesterday (April 13) for 29 domain names attached to the Coreflood command-and-control network, and obtained a temporary restraining order to stop computers already infected with Coreflood from further transmitting data.
Botnets are large networks of computers infected with malicious software — in this case the Coreflood Trojan — which form massive “ zombie armies ” under the sway of command-and-control servers.
While most botnets are merely used to send out spam and have little effect upon the individual PCs hosting them, the Coreflood botnet was different. It gathered personal and financial information from the infected machines, and is believed to have been active for nearly a decade, according to the U.S. Attorney’s Office.
"Its goal is to steal the data directly from users," security expert Joe Stewart said of Coreflood in a 2008 CNet interview.
Stewart said computers were infected with the Coreflood Trojan via "drive-by downloads" caused by visiting compromised Web pages, and that the criminals behind Coreflood were probably based in Russia.
However, as with the Rustock botnet that was shut down by Microsoft last month, most of Coreflood's command-and-control servers were in the United States.
Authorities seized five of those servers yesterday, and also filed a civil complaint against 12 “John Doe” defendants, alleging that they used the botnet to commit bank fraud and wire fraud.
Dismantling the Coreflood botnet and bringing its operators to justice is “the most complete and comprehensive enforcement action ever taken by U.S. authorities,” the U.S. Attorney’s Office said in a press release.
The government stressed that despite its success in dismantling the major botnet, it’s possible others may spring up to take its place.
“While this enforcement action completely disabled the existing Coreflood botnet by seizing control from the criminals who ran it, this does not mean that Coreflood malware or similar forms of malware have been removed from the Internet entirely,” the press release said. “Nor does it mean that criminals will not attempt to build another botnet using a different version of the Coreflood malware or other malware.”
To stay safe, security professionals recommend installing antivirus software and keeping it constantly up to date.
Microsoft also announced yesterday that it would add the Coreflood Trojan to the list of software targeted by the Microsoft Malicious Software Removal Tool.