The FBI's unprecedented effort to behead the Coreflood botnet -- comprising millions of hacked Windows machines -- appears to be working, at least for now. The bureau has tracked a dramatic decline in the number of pings from the botnet since the takedown operation began earlier this month, according to court documents filed by the Justice Department on Saturday.
The number of pings from infected U.S. systems plummeted from nearly 800,000 to less than 100,000 in about a week after authorities began sending out “stop” commands to those machines -- a drop of nearly 90 percent. Pings from infected computers outside the U.S. have also dropped about 75 percent, likely as a result of a parallel outreach effort to foreign ISPs.
The government's efforts have “temporarily stopped Coreflood from running on infected computers in the United States," writes the government in its filing, "and have stopped Coreflood from updating itself, thereby enabling anti-virus software vendors to release new virus signatures that can recognize the latest versions of Coreflood."
The Justice Department asked the court to extend authorization (.pdf) for "Operation Adeona" for an additional 30 days, through May 25, so the feds can continue to temporarily disable the malware as it reports in from infected hosts. The court approved the request on Monday.
Interestingly, the new filing also hints that the government may soon formally seek court permission to take the next step, and actually instruct infected computers to permanently uninstall the malware. It would be the first time a government agency automatically removed code from Americans' computers.
“The process has been successfully tested by the FBI on computers infected with Coreflood for testing purposes,” writes FBI Special Agent Briana Neumiller in a declaration to the court (.pdf).
The takedown operation began two weeks ago, when the Justice Department obtained an unprecedented court order allowing the FBI and U.S. Marshals Service to swap out command-and-control servers that were communicating with machines infected with Coreflood -- malicious software used by criminals to loot a victim’s banking accounts -- and replace them with servers controlled by the FBI.
The controversial order also allowed the government to collect the IP addresses of any infected machines that subsequently contacted the FBI-controlled servers and to push out a remote “exit,” or stop, command to them to temporarily disable the Coreflood malware running on the machines.
The temporary order, which expired Monday, allowed the government to seize five computers and 15 internet domain names that were controlling the Coreflood botnet. Companies operating the relevant DNS name servers were ordered by the court to redirect traffic headed for those domains to two domains controlled by U.S. authorities - NS1.Cyberwatchfloor.com and NS2.Cyberwatchfloor.com. Additionally, authorities in Estonia seized other servers believed to have been previously used to control the Coreflood botnet.
When infected computers pinged, or "beaconed," one of the FBI servers to initiate communication, the server returned a command designed to stop the Coreflood malware from operating on the machine.
The command, however, is only a temporary measure, since the Coreflood software restarts whenever an infected machine is rebooted and then sends another beacon to control servers. Thus, the FBI's intervention software has to resend the stop command each time the malware sends a beacon, until the victim removes Coreflood from his system. The government has assured the court that this causes no harm to computers.
When authorities executed the server swap the evening of April 12, the response was immediate. According to the documents, on April 13, nearly 800,000 beacons came into the decoy servers from infected machines in the U.S. But the next day, the number of beacons had dropped to about 680,000, and steadily declined over the week.
The most drastic decline, however, occurred on April 16, a Saturday, when the number of beacons numbered fewer than 150,000. Although the number jumped to about 210,000 the following Monday -- likely because some users shut down their computers for the weekend then turned them on again on Monday, relaunching the Coreflood malware -- the numbers have continued to decline since that day. On April 22, the last date for which data is available, the number of beacons hovered at around 90,000.
The numbers suggest three scenarios: some people with infected computers have left their systems running and have not rebooted since they received the FBI stop command, thus reducing the number of beacons coming in; other users may have disconnected infected machines from the internet until they can remove the infection; at least some users have successfully deleted the malware from their system.
The latter was made easy by an update that Microsoft made to its free Malicious Software Removal Tool, which removes Coreflood from infected computers. Anti-virus firms have also added signatures to their products to detect the Coreflood malware and help thwart the spread of additional infections.
It should be noted that the number of beacons coming into FBI servers doesn’t directly correlate to the total number of machines infected with Coreflood, since multiple beacons can come from a single infected computer that gets rebooted.
In addition to sending a stop command to infected computers, the FBI collected the IP addresses of every machine that contacted its servers, dividing them into U.S. based addresses and foreign ones. From the U.S.-based addresses, they were able to track infected computers to two defense contractors, three airports, five financial institutions, 17 state and local government agencies, 20 hospital and health care entities, about 30 colleges and universities and hundreds of other businesses.
In one case, after the FBI notified a hospital that it was infected, the staff there found Coreflood on 2,000 of its 14,000 computers, according to court documents.
The FBI has passed infected IP addresses outside the U.S. to relevant foreign law enforcement agencies to contact users, and has been working with ISPs in the U.S. to notify infected users here and to explain the nature of the "stop" command the agency sent to infected computers.
“At no point will the FBI or ISC exercise control over any infected computers, or obtain any data from any infected computers,” reads a memo given to users.
Should users want Coreflood to continue running on their machines for some reason, they can “opt out” from receiving the FBI stop command. The instructions for opting out, however, are buried in a 2010 Microsoft document titled “Microsoft TCP/IP Host Name Resolution Order” that most users are likely to find beyond comprehension.
Users are also given a separate form to authorize authorities to delete Coreflood from their computers if they choose. As FBI Agent Neumiller suggests in her declaration to the court, this could be accomplished with a remote command similar to the stop command.
“Removing Coreflood in this manner could be used to delete Coreflood from infected computers and to ‘undo’ certain change made by Coreflood to the Windows operating system when Coreflood was first installed,” she writes. “The process does not affect any user files on an infected computer, nor does it require physical access to the infected computer or access to any data on the infected computer.”
“While the ‘uninstall’ command has been tested by the FBI and appears to work, it is nevertheless possible that the execution of the ‘uninstall’ command may produce unanticipated consequences, including damage to the infected computers.”
At the beginning of 2010, Coreflood encompassed more than 2 million infected machines worldwide, the majority of them in the U.S. Coreflood is malicious software used by its controllers to steal online banking credentials from a victim’s computer to loot their financial accounts. In one case, the criminals managed to initiate more than $900,000 in fraudulent wire transfers from the bank account of a defense contractor in Tennessee before they were discovered. An investment company in North Carolina lost more than $150,000 in fraudulent wire transfers.
Homepage photo: Aleksandar Cocek/Flickr
See also:
