Now that the Federal Bureau of Investigation has successfully disarmed the Coreflood botnet temporarily, the next step is to get the malware off infected machines.
The number of “beacons,” or requests from Coreflood zombies to the C&C (command and control) servers have declined by over 90 percent in the week since the FBI raided and seized five C&C servers and 29 domains used to control the Coreflood botnet, according to court documents filed April 22. The requests have dropped from about 800,000 on April 13, two days before the raid, to less than 100,000 on April 22, according to court papers.
Beacons are not the same as the number of infected computers because the zombie connects to the server every time it reboots, and it’s very possible that a computer can be restarted several times a day. While the actual number of infected computers is unknown, the Coreflood botnet is estimated to have infected somewhere between hundreds of thousands to 2 million PCs over the past decade.
As part of the raid, the United States District Court of Connecticut also issued a temporary restraining order that allowed the Department of Justice to substitute the seized rogue servers with FBI-controlled systems. The new servers acted as C&C servers for the existing zombie army, pushing out a “kill signal” to terminate the malware running on the infected machines.
While the kill signal stopped Coreflood from running, it was only a temporary fix, as every time the infected machine was rebooted, it had to receive fresh instructions to “stop” the malicious process. It was critical that the malware be removed from the machine altogether.
The FBI-controlled servers prevented the malware from updating itself, giving security vendors the time to release fixes and update malicious software removal tools. They “are no longer faced with a moving target and have been able to release virus signatures capable of detecting the latest versions of Coreflood,” the court papers said.
Microsoft released an out-of-band update for its Windows Malicious Software Removal Tool on April 28 to remove Coreflood from infected machines. Cyber-criminals released new Coreflood variants approximately around when Microsoft updated the tool as part of the April Patch Tuesday. The latest update will allow Microsoft to remove Coreflood and several other malware families permanently.
Other vendors are expected to issue their own updates to their security scanners and malware removal tools so that users can remove the infection on their own.
The original court order gave the FBI two weeks to temporarily deactivate the zombies and notify affected users as vendors pushed out removal tools. The FBI is working with Internet service providers to track down users based on the IP addresses. The government asked for an additional 30 days, now due to expire May 25, to complete “Operation Adeona” by deactivating the malware and to notify affected users that their systems had been compromised.
The FBI was also collecting explicit permission from the victims to remotely remove the malware permanently.
“Removing Coreflood in this manner could be used to delete Coreflood from infected computers and to -undo’ certain changes made by Coreflood to the Windows operating system when Coreflood was first installed,” wrote FBI Special Agent Briana Neumiller in the court filing.
“There is an ongoing need to prevent a continuing and substantial injury to the owners and users of computers still infected by Coreflood,” the filing said.
Removing the malware is important because new variants of Coreflood are already appearing, pushed out by servers not under FBI control. These new variants will be able to evade detection and there is a chance they will recapture the now-dormant machines, the FBI warned the court.
The Department of Justice will need another court order to get permission to actually remove the malware permanently from user computers.
The government stepping into remotely execute programs on to user computers is unprecedented in the United States, and privacy watchdog Electronic Frontier Foundation raised some objections. “Its other people’s computers, and you don’t know what’s going to happen for sure. You might blow up some important machine,” said Chris Palmer, technology director for the Electronic Frontier Foundation.
There are multiple Coreflood variants, and there is a potential risk with trying to use a bot against itself. “What if the crooks have deliberately rewired the “stop” command to carry out a “format hard drive” operation instead?” Paul Ducklin, head of technology for the Asia-Pacific region at Sophos, wrote on the Naked Security blog.