FBI Pulls the Plug on Coreflood Botnet
Coreflood is the latest botnet to get the axe. The FBI used bold, precedent-setting maneuvers to take the Corefloood botnet offline--reducing the volume of spam polluting your Inbox, and making the Internet a little safer.
A botnet is a network of infected computers (bots) that can be controlled remotely by attackers for a variety of malicious purposes. Coreflood allows compromised Windows PCs to be accessed by attackers, enabling them to steal sensitive personal and financial information in order to steal funds.
"Botnets and the cyber criminals who deploy them jeopardize the economic security of the United States and the dependability of the nation's information infrastructure," said Shawn Henry, Executive Assistant Director of the FBI's Criminal, Cyber, Response and Services Branch in the Department of Justice press release describing the effort to shut down Coreflood. "These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure."
Dave Marcus, McAfee Labs research and communications director, explained that the cybercriminals behind Coreflood created a money machine with this botnet. Marcus says that it is difficult to estimate just how much money the botnet generated, but that it likely in the tens of millions, and that it is not outside the realm of possibility that Coreflood could have raked in more than $100 million.
This is just the latest in a string of high-profile botnet takedowns. Waledac was killed in February of 2010, Bredolab was shut down in November of last year, and Rustock--following a self-imposed hiatus over the holidays--was knocked offline in March of 2011. But, there are plenty more botnets where these came from.
In a blog post, Gunter Ollmann, Research VP for Damballa, is particularly impressed with the move by the FBI to obtain a temporary restraining order authorizing the government to respond to signals sent from PCs compromised by Coreflood to order the malicious agent to shut down.
Ollmann says, "What does this mean? Well, the DoJ was allowed to impersonate the commanding servers and send a "Stop" command to the botnet agents that were tethered to the 5 illegal CnC servers. This is precedent setting.
McAfee's Marcus said, "We commend and support the actions resulting in the takedown of the Coreflood botnet and the cybercriminals that run it. This is the type of action that needs to happen to make the Internet a safer place."