DOJ Shuts Down Botnet, Disables Infected Systems

The U.S. Department of Justice and the FBI said on Wednesday that they had taken actions to disable an international botnet of more than two million infected computers that was stealing corporate data including user names, passwords and financial information.

DOJ BotnetThe U.S. Department of Justice and the FBI said on Wednesday that they had taken actions to disable an international botnet of more than two million infected computers that was stealing corporate data including user names, passwords and financial information.

Thirteen unnamed “John Doe” defendents were charged in a civil complaint filed by the U.S. Attorney’s Office for the District of Connecticut and 29 domain names connected to the coreflood malware were seized in the raid, according to a statement from the U.S. Attorney for the District of Connecticut.

The botnet, which has been linked to a malicious program dubbed “coreflood” is believed to have been operated out of Russia and to have been active for close to a decade. In an twist, the Department of Justice said it had received a temporary restraining order (TRO) allowing it to disable the malware, dubbed “coreflood” on machines that attempt to communicate with the command and control servers.

The crackdown would be one of the largest actions taken by U.S. law enforcement against an international botnet. In the last year, there have been a number of similar botnet takedowns, though many have been led by private sector firms, notably Microsoft and FireEye, in conjunction with law enforcement and Internet service providers in the U.S. and elsewhere. This is the first known instance where authorities have taken the extra step of disabling the malware on infected hosts.

According to the U.S. Attorney, five botnet C & C servers were seized, as were 29 domain names used by the Coreflood botnet to communicate with the C & C servers.  The government then  replaced the illegal C & C servers with “substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties.” That involved issuing a command that “temporarily stops the malware from running on the infected computer.” Though the authorities did not disinfect the machines, the hope is that victims will update their antivirus and security software providers will develop tools for removing the coreflood malware from infected hosts.

The DOJ and FBI will work with Internet service providers to notify victims whose machines have been compromised with the coreflood malware. Owners will be told how to “opt out” and keep Creflood running if they so desire.

The DOJ action mirrors that of Dutch authorities in the crackdown on the Bredolab botnet in October. In that incident, the country’s High Tech Crime Team worked with the Dutch CERT and local ISPs to disable infected command and control servers. Infected computers were then redirected to a page that offered instructions for removing the Trojan.

The takedown involved a wide range of players from the private sector and law enforcement. They include the FBI’s New Haven Division, the U.S. Marshals Service, Microsoft, the Internet Systems Consortium (ISC) and other private industry partners. 

The DOJ encouraged computer users to make sure they are running security and antivirus software and to keep it up to date.

Suggested articles

jokers stash takedown

Joker’s Stash Carding Site Taken Down

The underground payment-card data broker saw its blockchain DNS sites taken offline after an apparent law-enforcement effort – and now Tor sites are down.

Discussion

  • Anonymous on

    I'm curious if this has anything to do with Anonymous.

  • Anonymous on

    Funny you should say that, Anonymous (not verified)

  • Anonymous on

    Funny you should say that about Anonymous, Anonymous

  • Anonymous on

    it does say anonymous.   its sad that the bot cant be stopped by antivirus and firewalls.  it sad that they say they can.  but have no choice to trust the people up there.  in my experiences, security was involved and they had no intentions of removing the worm, they where only finding ways to make it more undetectable.   i dealt with psycholgical attacks and replacements that satisfy curiosity so it can continue.   i know when it is gone.  it shows signs of constantly changing.  it changes when you see 445 port being used, and it gets worse when i download updates.  it works above boot and cant be rid of by fixing the operatingsystem.  it is above boot.  it seems  to be a frequency that comes down from satalite or towers and break in through battery problems.   

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.