FBI Shuts Down Coreflood Botnet, Zombies Transmitting Financial Data

The FBI has shut down the massive Coreflood botnet and is hunting the 13 criminals who stole millions of dollars from victims' bank accounts and credit cards.

U.S. law enforcement authorities won another battle against international cyber-crime as it shut down a botnet that controlled more than 2 million computers around the world and stole millions of dollars from its victims. A civil complaint against the criminals behind the botnet has also been filed.

The Coreflood Trojan infected user computers and transferred banking credentials and other sensitive information to the botnet's command-and-control servers, the United States Department of Justice said April 13. Coreflood infected computers with keyloggers that stole usernames, passwords, financial data and other information, according to the Justice Department. It also had the ability to launch massive denial-of-service attacks.

"The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes," U.S. Attorney David Fein said.

The bot herders used the stolen data to transfer money via fraudulent banking and wire transactions.

Based on the figures provided by the Justice Department, the gang likely made tens of millions of dollars, and it was "not outside the realm of possibility" that they had seized more than $100 million, Dave Marcus, McAfee Labs research and communications director, told eWEEK.

The FBI launched a raid and seized hard drives from five suspected C&C servers scattered across several hosting facilities throughout the country after the U.S. District Court for the District of Connecticut issued a search warrant on April 12. The court also issued a seizure warrant for 29 domain names.

"This is the type of action that needs to happen to make the Internet a safer place," Marcus said.

A civil complaint against 13 unnamed individuals accusing them of "wire fraud, bank fraud and illegal interception of electronic communications" was filed by the U.S. district attorney in the same court. The complaint listed some of the botnet's victims, including a real estate company in Michigan that lost $115,771, a South Carolina law firm that lost $78,421 and a Tennessee defense contractor that lost $241,866.

Microsoft and the U.S. Marshals also collaborated with the investigation against Coreflood, as well as other private industry partners.

"Law enforcement will continue to use innovative and responsible actions in our fight against cyber-criminals," Assistant Attorney General Lanny Breuer of the Criminal Division said.

The court also issued a temporary restraining order that gave the government's programmers the ability to send instructions directly to the infected zombies to stop transmitting data and to shut down, without requiring any permission from the infected computer's owner. This was accomplished by replacing the C&C servers with substitute servers to communicate with the infected machines.

This will prevent "further harm to hundreds of thousands of unsuspecting users of infected computers in the United States," according to the Justice Department.

"These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure," said Shawn Henry, executive assistant director of the FBI's criminal, cyber, response and services branch.

The FBI will attempt to notify users whose computers are infected with Coreflood before attempting to deactivate them, and users have the ability to "opt out" of the order if for some reason they want to keep Coreflood running. "At no time will law enforcement authorities access any information that may be stored on an infected computer," according to the department.

The botnet is believed to have been in operation for almost a decade. With about 2 million infected computers under its control, Coreflood was slightly smaller than Rustock, the massive spam-generating botnet the FBI shut down in March.

Microsoft's Digital Crime Unit collaborated in the investigation that led to the FBI's raid and subsequent shutdown of Rustock C&C servers. Microsoft's collaboration with the U.S. Marshals is "more evidence of the value of strategic offensive action," said David LaMacchia, a Cloudmark researcher.

Coreflood gang members are not the only financial cyber-criminals feeling the heat. U.K. police arrested some members affiliated with the SpyEye Trojan on April 11.