FBI Begins Disinfecting Coreflood from User PCs

eWEEK content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The Federal Bureau of Investigation has finally moved ahead with the next step in its fight against the Coreflood botnet: disinfecting compromised machines.

When federal law agents seized servers belonging to the Coreflood botnet in April, they obtained legal permission from the United States District Court of Connecticut to replace them with servers under their own control that pushed out instructions to temporarily disable the malware on the zombie army. The Justice Department also obtained permission to be able to contact individual computer owners to get permission to remove the malware permanently.

That cleanup has begun as the FBI’s programmers has issued some 19,000 uninstall commands to the computers belonging to 24 individuals, Brian Krebs reported on his Krebs on Security blog. The commands effectively purge the systems of the malware and is supposed to have no other impact on the machines.

“FBI has directly notified hundreds of identifiable victims, and that it has provided information to approximately 25 of the largest Internet service providers in the United States, enabling them to notify their infected customers,” Krebs wrote.

FBI Special Agent Kenneth Keller claimed in court documents that the FBI has notified hundreds of additional victims and their internet service providers that the machines were infected. The FBI obtained written consent from each victim before pushing out the uninstall code.

Keller said it will be very difficult to notify and obtain consent from all infected users. However, the dramatic 95 percent decline in the size of the Coreflood botnet is the result of the FBI’s notification efforts.

The FBI also seized control over the 29 domain names that controlled the day-to-day operations of the command and control servers, which allowed it to redirect the zombies to federal servers.

The raid took down servers only in the United States, so Coreflood remains active globally.