First published: 14th April 2011
US Federal Prosecutors have obtained a court order to set up a substitute Command and Control system (C&C) and take over IP addresses and control of the Coreflood botnet, which has infected over 2 million Microsoft Windows computers over an 8 year period. The control will be used to stop the malware and record the IP addresses of infected systems so the victims can be warned.
However, the stop command is only temporary. Infected systems will still have the malware and will attempt to reload it when they are restarted. Therefore, the substitute C&C will need to operate for a long time, while the victims are traced via ISP records. The criminals behind Coreflood may also try to regain control of the botnet. The Internet System Consortium, helped by Microsoft, will operate the substitute C&C.
Analysis of Coreflood has hinted at a highly-organised software development team and a lot of investment behind it and some of the online banking credentials it was used to obtain netted the villains hundreds of thousands of US dollars. The botnet has clearly been a lucrative revenue stream, and the gang faces the decision of whether to fight to regain control, or walk away and set up a new botnet.
The takedown operation is claimed to be the first time the US government has got a court order to setup a substitute C&C. However, in October 2010, the Dutch police and Government, and security company Fox-IT cooperated to behead the Bredolab botnet and use the botnet itself to alert victims. In a hotly debated show in March 2009, the BBC program Click took over small botnet by hiring it, demonstrated it was functional, and warned the victims by changing their wallpaper.
Yui Kee's Chief Consultant Allan Dyer commented, "Operations that take control of botnets are often controversial because the 'good guys' are also using the victim's computer without authorisation. There are right and wrong ways of doing this, Click's approach was wrong, it funded the criminals and did not have the support of a court order. Skilled and accountable law enforcement, with public safety in mind and backed by the courts is the way to go. Notifying the victims via the botnet is a risk, there could be unintended consequences. PCs are not designed for safety-critical tasks, and anyone running a critical system should be keeping malware out, but we know this is not always true - look at Stuxnet. Surely there is an ethical obligation to take the less invasive but more laborious approach first - tracing the IP address? Also, dismantling this botnet is a fleeting victory, I hope the investigators are tracing the developers, before they release their next botnet."