It took ten
years, but the U.S. finally has killed [press
release and court documents] a notorious botnet spread by an ever-evolving
virus known as "Coreflood". The botnet had been active since
2001, slowly building up an arsenal of 2 million computers worldwide, with the
help of helper malware. It is responsible for stealing an estimated $100M
USD worldwide from businesses and individuals.
A botnet is a group of infected
machines that can be coordinated to steal information from the users
of the machines. They can also be controlled to send malicious files,
spam, phishing emails, or other unsavory contents.
The creators of Coreflood took special care in honing their attack package.
What began as a trojan received over 100 updates, eventually gaining
viral characteristics and the ability to steal passwords and credit card
The creators of the botnet used it as a vehicle to harvest information
pertaining to bank accounts. Using that information they initiated
thousands of fraudulent banking and wire transactions.
A complaint filed in the U.S. District Court for the District of
Connecticut reveals details of some of the losses -- a real estate company
in Michigan lost $115,771 USD, a South Carolina law firm lost $78,421 USD, and
a Tennessee defense contractor lost $241,866 USD.
It is believed that the botnet was run by at least 13 individuals operating out
of Russia. States Alan Paller, director of research at the SAN
Institute, an anti-cybercrime nonprofit group, in an interview Reuters, "We're
pretty sure a Russian crime group was behind it."
The feds long battle with Coreflood and the cybercriminals finally turned when
agents seized servers that were spreading the botnet. Describes the feds,
"The seizure of the Coreflood servers and Internet domain names is
expected to prevent criminals from using Coreflood or computers infected by
Coreflood for their nefarious purposes."
The final straw against Coreflood occurred this month when agents completed the
reverse engineering of the virus and instructed the infected machines to stop
sending stolen data and shut down.
The feds' ability to kill Coreflood was the result of lessons learned in past
incidents. In March, following a suit by Microsoft Corp. (MSFT), federal agents raided a
hosting service, seizing servers that were spreading the Rustock spammer
botnet. Without its backbone, Rustock essentially died, taking
approximately half of U.S. spam with it.
According to court documents the decision to reverse engineer the virus and
shut down the infected machines was inspired a technique used by Dutch police
in a separate case. It was the first time such a technique had been
employed in the U.S.
Mr. Paller applauds the U.S. Department of Justice (DOJ)
and U.S. Federal Bureau of
Investigations (FBI) efforts, stating, "This was big money stolen
on a large scale by foreign criminals. The FBI wanted to stop it and they did
an incredibly good job at it."
The Connecticut court's civil complaint was filed by the U.S. DOJ against the
13 foreign individuals believed to be running the botnet. A criminal
investigation is ongoing, and charges may follow.
Unfortunately the cybercriminals who masterminded the scheme appear to be
outside U.S. jurisdiction -- likely in Russia. Given the Russian government's
questionable resolve on cybersecurity, it's possible that those
involved will get away with the lot.