In the week since the Federal Bureau of Investigation seized five command-and-control servers controlling the Coreflood botnet, zombie activity has plunged nearly 90 percent.
The Federal Bureau of
Investigation has had some success in dismantling the massive Coreflood botnet
and in recent court documents it asked a federal court to allow more time to
try to permanently neutralize the botnet.
The number of "beacons," or
requests from Coreflood zombies to the C&C (command and control) servers,
dropped from about 800,000 on April 13 to less than 100,000 on April 22, the United
States Attorney's Office
said in new court documents filed April 23. The
government asked the United States District Court of Connecticut for a 30-day
extension to the previous court order that gave FBI programmers the authority
to cripple the botnet.
Beacons are not the same as
the number of infected computers because a computer can be restarted several
times a day, and each time it starts up, it would send a fresh request to the
botnet servers. While the actual number of infected computers is unknown, the
Coreflood botnet is estimated to have infected between hundreds of thousands to
two million PCs.
The FBI raided and seized
five C&C servers and 29 domains used to control the Coreflood
on April 15, the Department of Justice announced. A judge at the
Connecticut district court granted the FBI the authority to set up two
substitute servers programmed to push out new "kill" instructions to infected
zombies to terminate the malware running on those machines. However, it was a
temporary fix, as every time the zombie machines are rebooted, they have to
receive fresh instructions to kill the malicious process.
The seizure has "temporarily
stopped Coreflood from running on infected computers in the U.S., preventing
further loss of privacy and damages to the financial security of owners and
users of the infected computers," according to the court documents posted by
Substituting the rogue
servers with FBI-controlled servers also prevented the malware from updating
itself, allowing security
vendors to release fixes
and removal tools. They "are no longer faced
with a moving target and have been able to release virus signatures capable of
detecting the latest versions of Coreflood," the court papers said.
The government says it needs
until May 25 to continue "Operation Adeona," which is a campaign to notify
computer owners that their machines had been compromised by the botnet and to
obtain permission to remotely remove the Coreflood malware permanently. The
extra time will also give vendors time to update their security products to detect
the latest versions of Coreflood.
believes that the equitable relief provided in the [temporary restraining
order] has proven effective, but that there is an ongoing need to prevent a
continuing and substantial injury to the owners and users of computers still
infected by Coreflood," the filing said to justify the extension.
Victims identified so far
included 17 state or local government agencies, three airports, two defense
contractors, five financial institutions, 30 colleges or universities, 20
health care organizations and hundreds of businesses. In one case, after the
FBI notified a hospital about the botnet infection, administrators found
Coreflood on 2,000 of its 14,000 computers.
There are also fewer beacons
from computers outside the U.S. hitting the five C&C servers, but the FBI
is not sending the "kill signal" to those machines. Foreign ISPs have been
pushing out their own signals to those systems parallel to the FBI effort.
Officials in Estonia have also seized additional C&C servers believed to be
predecessors to the botnet.