While the Federal Bureau of Investigation has seized control the Coreflood botnet, it is now working with Microsoft to try to permanently remove malware from thousands of infected zombie machines to prevent Coreflood from springing back to life.
Now that the Federal Bureau
of Investigation has successfully disarmed the Coreflood botnet temporarily,
the next step is to get the malware off infected machines.
The number of "beacons," or requests
from Coreflood zombies
to the C&C (command and control) servers have
declined by over 90 percent in the week since the FBI raided and seized five
C&C servers and 29 domains used to control the Coreflood
, according to court documents filed April 22. The requests have
dropped from about 800,000 on April 13, two days before the raid, to less than
100,000 on April 22, according to court papers.
Beacons are not the same as
the number of infected computers because the zombie connects to the server
every time it reboots, and it's very possible that a computer can be restarted
several times a day. While the actual number of infected computers is unknown,
the Coreflood botnet is estimated to have infected somewhere between hundreds
of thousands to 2 million PCs over the past decade.
As part of the raid, the
United States District Court of Connecticut also issued a temporary restraining
order that allowed the Department of Justice to substitute the seized rogue
servers with FBI-controlled systems. The new servers acted as C&C servers for
the existing zombie army, pushing out a "kill signal" to terminate the malware
running on the infected machines.
While the kill signal
stopped Coreflood from running, it was only a temporary fix, as every time the
infected machine was rebooted, it had to receive fresh instructions to "stop"
the malicious process. It was critical that the malware be removed from the
The FBI-controlled servers
prevented the malware from updating itself, giving security vendors the time to
release fixes and update malicious software removal tools. They "are no
longer faced with a moving target and have been able to release virus
signatures capable of detecting the latest versions of Coreflood," the
court papers said.
Microsoft released an
out-of-band update for its Windows Malicious Software Removal Tool on April 28
to remove Coreflood from infected machines. Cyber-criminals released new
Coreflood variants approximately around when Microsoft updated the tool as part
of the April Patch Tuesday. The latest update will allow Microsoft to remove
Coreflood and several other malware families permanently.
Other vendors are expected
to issue their own updates to their security scanners and malware removal tools
so that users can remove the infection on their own.
The original court order
gave the FBI two weeks to temporarily deactivate the zombies and notify
affected users as vendors pushed out removal tools. The FBI is working with Internet
service providers to track down users based on the IP addresses. The government
asked for an additional 30 days, now due to expire May 25, to complete
"Operation Adeona" by deactivating the malware and to notify affected users
that their systems had been compromised.
The FBI was also collecting
explicit permission from the victims to remotely remove the malware
"Removing Coreflood in this
manner could be used to delete Coreflood from infected computers and to -undo'
certain changes made by Coreflood to the Windows operating system when
Coreflood was first installed," wrote FBI Special Agent Briana Neumiller in the
"There is an ongoing
need to prevent a continuing and substantial injury to the owners and users of
computers still infected by Coreflood," the filing said.
Removing the malware is
important because new variants of Coreflood are already appearing, pushed out
by servers not under FBI control. These new variants will be able to evade
detection and there is a chance they will recapture the now-dormant machines,
the FBI warned the court.
The Department of Justice
will need another court order to get permission to actually remove the malware
permanently from user computers.
The government stepping into
remotely execute programs on to user computers is unprecedented in the United
States, and privacy watchdog Electronic Frontier Foundation raised some
objections. "Its other people's computers, and you don't know what's going to
happen for sure. You might blow up some important machine," said Chris Palmer,
technology director for the Electronic Frontier Foundation.
There are multiple Coreflood
variants, and there is a potential risk with trying to use a bot against
itself. "What if the crooks have deliberately rewired the "stop"
command to carry out a "format hard drive" operation instead?" Paul
Ducklin, head of technology for the Asia-Pacific region at Sophos, wrote on the