FBI Claims Victory in Neutralizing Coreflood, But Needs Time for Total Fix

In the week since the Federal Bureau of Investigation seized five command-and-control servers controlling the Coreflood botnet, zombie activity has plunged nearly 90 percent.

The Federal Bureau of Investigation has had some success in dismantling the massive Coreflood botnet and in recent court documents it asked a federal court to allow more time to try to permanently neutralize the botnet.

The number of "beacons," or requests from Coreflood zombies to the C&C (command and control) servers, dropped from about 800,000 on April 13 to less than 100,000 on April 22, the United States Attorney's Office said in new court documents filed April 23. The government asked the United States District Court of Connecticut for a 30-day extension to the previous court order that gave FBI programmers the authority to cripple the botnet.

Beacons are not the same as the number of infected computers because a computer can be restarted several times a day, and each time it starts up, it would send a fresh request to the botnet servers. While the actual number of infected computers is unknown, the Coreflood botnet is estimated to have infected between hundreds of thousands to two million PCs.

The FBI raided and seized five C&C servers and 29 domains used to control the Coreflood botnet on April 15, the Department of Justice announced. A judge at the Connecticut district court granted the FBI the authority to set up two substitute servers programmed to push out new "kill" instructions to infected zombies to terminate the malware running on those machines. However, it was a temporary fix, as every time the zombie machines are rebooted, they have to receive fresh instructions to kill the malicious process.

The seizure has "temporarily stopped Coreflood from running on infected computers in the U.S., preventing further loss of privacy and damages to the financial security of owners and users of the infected computers," according to the court documents posted by Wired's Threat Level blog.

Substituting the rogue servers with FBI-controlled servers also prevented the malware from updating itself, allowing security vendors to release fixes and removal tools. They "are no longer faced with a moving target and have been able to release virus signatures capable of detecting the latest versions of Coreflood," the court papers said.

The government says it needs until May 25 to continue "Operation Adeona," which is a campaign to notify computer owners that their machines had been compromised by the botnet and to obtain permission to remotely remove the Coreflood malware permanently. The extra time will also give vendors time to update their security products to detect the latest versions of Coreflood.

"The government believes that the equitable relief provided in the [temporary restraining order] has proven effective, but that there is an ongoing need to prevent a continuing and substantial injury to the owners and users of computers still infected by Coreflood," the filing said to justify the extension.

Victims identified so far included 17 state or local government agencies, three airports, two defense contractors, five financial institutions, 30 colleges or universities, 20 health care organizations and hundreds of businesses. In one case, after the FBI notified a hospital about the botnet infection, administrators found Coreflood on 2,000 of its 14,000 computers.

There are also fewer beacons from computers outside the U.S. hitting the five C&C servers, but the FBI is not sending the "kill signal" to those machines. Foreign ISPs have been pushing out their own signals to those systems parallel to the FBI effort. Officials in Estonia have also seized additional C&C servers believed to be predecessors to the botnet.