FBI details difficulties defanging Coreflood botnet

IP lists en route to foreign authorities.

The US Justice Department has requested the FBI have a further month, until May 25, to continue defanging the Coreflood botnet under Operation Adeona.

Details in the request highlighted the difficult position the FBI faces after swapping out Coreflood's command and control servers with its own earlier this month.

Despite having the technical capability to remotely uninstall Coreflood malware from infected computers, it appears unable to do this for the bulk of victims in part because it cannot directly go to them to seek consent to do so.

In a supporting declaration [pdf] obtained by Wired, FBI special agent Briana Neumiller said that she was certain "the Coreflood software could be used to uninstall itself, if appropriate instructions were issued from a command and control server."

She claimed that FBI testing showed it could restore a Windows operating system to its pre-infected state without affecting any user files on it.

If the FBI requests authority to do this, it would be the first time any US agency has removed malware remotely from the computers of an infected home users, Wired noted in its report.

For now the FBI is limited to do this with organisations or "identifiable victims" with publicly available IP addresses.

The FBI had already issued "request and authorisation to delete" forms to dozens of government agencies, three airports, two defence contractors, five banks, and hundreds of businesses.

The more complicated task of removing Coreflood from home user machines relies on ISPs notifying infected users, antivirus vendors updating signatures and consumers removing the malware.

The FBI had already asked some ISPs to forward a "Notice of Infected Computer" to hundreds of thousands of customers in the US. Notifications were based on a list of IP addresses associated with infection, which was further complicated by the common practice of ISPs allocating dynamic addresses.

It had also requested its International Operations Division to forward a list of IP addresses, separated by country, to relevant foreign authorities .

Despite the legal and technical obstacles to removing the malware, the FBI recorded a dramatic fall in the number of "beacons" or pings from infected machines to its command and control servers in the days after seizing them.

By sending commands to infected machines in the US to stop running Coreflood, the number of beacons fell from 800,000 on 13 April to fewer than 100,000 on 22 April.

Nuemiller speculated this was the result of Coreflood being unable to update itself of infected computers, buying time for antivirus vendors to release signatures for the latest version of it. It could also have been the result of customers disconnecting their computers or removing the malware after ISPs notified them.