US Department of Justice and FBI Foil Botnet Operation

Thursday, April 14, 2011

Jared Carstensen


Following the infection of more than 2 million computers worldwide - most of which were based in the United States, The US Department of Justice in association with Microsoft has moved swiftly to file civil complaints, issued a restraining order and numerous criminal seizure warrants.

The so called "massive fraud scheme" utilized software called Coreflood - which collected and stored system and application passwords, along with other financial information. The use of Coreflood was enabled by a Windows OS vulnerability (surprise surprise) which then allowed the botnet to spread rapidly.

Following the 2 million plus infections - Microsoft issued a software patch which ironically followed the organizations largest ever "Patch Tuesday" - a little food for thought right there...

The Coreflood botnet was focused solely on organizations and corporations (an example of a precise and targeted attack) and once “infected” would download emails, financial information and other potentially sensitive and confidential information.

As yet, no organizations have been named (most likely for legal reason) as those infected with the botnet, and it should prove very interesting to see which organizations were specifically targeted. My guess would be that the US Department of Justice and the FBI would not be getting involved and have moved so swiftly, if it had not been in the national interest to do so.

Secureworks (recently acquired by Dell) - first discovered the botnet (ahead of all the Anti-Virus providers and Microsoft), and subsequently released a statement claiming "the scale of the botnet is huge".

Perhaps the statement alone might serve as further proof that Microsoft and the greater community might just have dodged a bullet.

Further information regarding the source of the botnet and its corresponding actions; point to a small niche group of cybercriminals based in Russia (surprise surprise!) which has, for many years been a haven for internet / cybercrimes against the US.

The inability for the US and other countries to prosecute and pursue these criminals is further complicated by the international relations between the countries, and the reported "immunity" granted to these criminals if they will then assist the Russian government or “act in national interests”.

The collection of evidence in instances like these nears on the impossible with multiple jurisdictions, laws, countries, scale and costs coming into play.

The civil complaint - filed against 13 individuals collectively known as "John Does"(good luck getting a successful prosecution against that!) has also been followed up with warrants for the seizure and suspension of 29 domains and associated servers (a large majority of which I would say are hosted with legitimate ISP’s on shared hosting platforms alongside numerous other businesses information). 

It is alleged that the information obtained from the Coreflood botnet was used by the cybercriminals to initiate bank transfers; in some cases of hundreds of thousands of dollars. In one instance an attempt was made to transfer more than $934,000 from an unnamed defense contracting company in Tennessee. A law firm in South Carolina along with a real estate agent in Michigan were also said to have been hit for sums below $100,000 each.

Taking into the scale of the botnet and the amount of targeted computers successfully infected - my fear is that this is merely the tip of iceberg. It is most likely that these accounts and associated account holder (who’s information could have been obtained by the botnet), will be monitored for some time by the banks / merchants or other bodies.

No problem for these cybercriminals - the bank account numbers are not going to change - and neither is the vast majority of the information obtained and currently in their possession. It is common knowledge in the cyber-realm that this sort of information can become more valuable in time. The chilling reality is - these criminals are not going anywhere and will gladly wait a few weeks, or months to retrieve their fairly lucrative prizes.

Finally in a statement made by US Authorities it is stated that "Authorities will also collect the Internet protocol addresses of computers infected with the virus. Prosecutors have said they would work with Internet service providers to notify individual customers of the security breach".

If we take a look just at that statement - this perhaps emphasizes the reactive nature of all parties involved here? The mind simply boggles with questions: Surely this information should be available at present? What sort of measures are in place to collect and manage this information? How is this going to be reported or communicated? 2 million systems could be a pretty large pool of IP addresses especially considering a number of these might be dynamic?

It is worth noting that this is the first noted instance of a botnet which the US Government or State Authority body has seized control and taken the initiative in proactively "shutting down" the threat and its associated activities. Indications perhaps of the possible scale, impact and magnitude which it could have affect the key organization and or US Government bodies?

While I feel a good effort has been made by those parties involved, I do feel a more proactive effort should be made on other or similar instances of malware / botnets / worms / viruses etc to key organizations, corporations and or US Government systems. 

Finally - in a statement from the FBI; which states "The FBI believes it eliminated the threat posed by the current version of the malware. The botnet known as Coreflood is dead". 

Only time will in fact tell if this is true - and more importantly, how many innocent bystanders Coreflood took with it.

"If you have any suggestions on upcoming articles, please feel free to comment. Be sure to follow both InfosecIsland (@infosecisland) and Jared Carstensen (@jaredcarstensen) on Twitter." 

Possibly Related Articles:
Information Security
fraud FBI Cyber Crime DOJ botnet Coreflood
Post Rating I Like this!
shawn merdinger Fwiw, I think there are two very important takeaways from this CoreFlood story.

1. The key people behind the botnet appear to be a group of only 3 or so. the fact that such a small group of people can execute a level of pervasive attack like this, in spite of all of the countermeasures, is daunting.

2. It appears that LEA not only took over the botnet servers, but under a judge's order also made the extraordinary and unprecedented step of sending instructions to infected computers to mitigate the spread. Read this again -- LEA has now established precedent to execute code on infected computers. This is a seminal event that opens up tremendous complicated legal questions (IANAL, but welcome knowledgeable legal commentary here).
Jared Carstensen @Shawn - well said on both points. Point no.2 most definitely paves the way for future prevention and intervention by the US Government, which in itself should be very interesting. Who will be monitoring and deciding on these calls? Will there be a criteria defined for this? Only time will tell.

*Thank you for taking the time to comment and hopefully we will get some input on the legal perspective.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.