Coreflood Botnet Takedown & Civil Action

by David B. Fein
U.S. Attorney for the District of Connecticut

David B. Fein, U.S. Attorney for the District of Connecticut
David B. Fein, U.S. Attorney for the District of Connecticut

Infected by malicious software, millions of computers in the United States are part of "botnets" used by criminal organizations to commit fraud and other crimes on a massive scale. Last April, federal law enforcement authorities in Connecticut seized the Coreflood botnet and worked closely with anti-virus vendors and Internet service providers to remove Coreflood from hundreds of thousands of infected computers. The operation—the first of its kind by United States. law enforcement authorities—successfully removed Coreflood from over 95% of the infected computers.

Like most botnets, Coreflood was controlled from a few command-and-control servers ("C&C servers"). Perpetrators used the C&C servers to issue commands to, and receive stolen data from, the infected computers. The stolen data consisted primarily of Internet browsing traffic of unsuspecting users, including online banking credentials. The perpetrators used the stolen credentials to wire hundreds of thousands of dollars from victims, most of which were small- to medium-sized businesses and similar entities.

The seizure of the Coreflood botnet was accomplished by seizing the C&C servers, which were located in the United States and Estonia, and by seizing the Internet domain names used for communications between the C&C servers and the infected computers. Those seizures alone would have left Coreflood running on infected computers, continuing to steal data and rendering those computers vulnerable to further criminal activity.

To remove Coreflood from the hundreds of thousands of infected computers, the United States Attorney's Office obtained a temporary restraining order and injunction against fraud, under 18 U.S.C. § 1345, allowing the government to operate a substitute command-and-control server. The substitute server issued commands directing the Coreflood software on infected computers to "exit," i.e., stop running, thus preventing Coreflood from stealing additional data and blocking Coreflood from updating itself. At the same time, the FBI worked with Internet service providers across the country to identify and notify the owners of the infected computers. The FBI also coordinated with Microsoft and other software vendors, in order to make available updated anti-virus tools for removing Coreflood.

Finally, in an effort that demonstrated that more aggressive remediation techniques might safely be used in future cases, the FBI obtained written consent from numerous victims to uninstall Coreflood using the substitute server. Specifically, as to those victims, the FBI configured the substitute server to issue "uninstall" instructions to the Coreflood software on their infected computers. Throughout the two-month operation, the FBI's use of a substitute server to issue "exit" and "uninstall" commands to hundreds of thousands of infected computers caused no adverse consequences. In fact, Coreflood was removed successfully from over 95% of the infected computers.

The operation demonstrated that United States law enforcement authorities, in concert with our partners in the private sector, have the ability to respond effectively to the novel and sophisticated tools being used for cybercrime today.