Coordinated Law Enforcement Action Leads to Massive Reduction in Size of International Botnet

April 27, 2011

A preliminary injunction (PDF)  has been entered against the operators of the Coreflood botnet –  a network of hundreds of thousands of computers infected with a malicious software program  -- continuing the equitable relief granted on April 12, 2011, in a temporary restraining order issued by the U.S. District Court for the District of Connecticut.  This preliminary injunction prohibits the defendants from using Coreflood to commit fraud and to engage in unauthorized interception of electronic communications, and it authorizes the U.S. Marshals Service and FBI to enforce the injunction by using a substitute server to stop Coreflood from running on infected computers.

In support of the preliminary injunction, the Department of Justice filed papers showing that the coordinated law enforcement operation has reduced the size of the Coreflood botnet by nearly 90 percent in the United States.

 Operation ADEONA Graph of Beacons of Infected US Computers

According to the documents filed with the court (Read the Preliminary Injunction (PDF) or the Mem0 in Support (PDF) ) , the reduction in the size of the Coreflood Botnet was attributed to two factors.  First, because Coreflood was no longer running, it was no longer able to update itself and avoid detection by anti-virus software.  Second, the FBI, with the assistance of Internet service providers, has made significant efforts to identify and notify the victims of Coreflood, who in turn have taken measures to remove Coreflood from thousands of infected computers. 

The recently identified victims of Coreflood have included approximately 17 state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately 30 colleges or universities; approximately 20 hospital or health care companies; and hundreds of businesses.  According to one of the victims, a hospital health-care network, approximately 2,000 of its 14,000 computers were infected with Coreflood.  Because of the restraining order granted by the district court, which prevented Coreflood from running, the hospital was able to focus on investigating and repairing the damage caused by Coreflood instead of trying to prevent the further loss of data on an emergency basis.

The department continues to strongly encourage computer users to ensure they are using security software on their computers and that users regularly update their security and routinely scan their computers for viruses. To learn more about what you can do to protect your computer, including how to download and receive updates on security vulnerabilities, the public may go to the following sites operated by U.S. Computer Emergency Readiness Team (CERT) and the Federal Trade Commission.

People with information concerning the Coreflood and those responsible for its malicious use can contact their local FBI field office: www.fbi.gov.

Posted in: