FBI details difficulties defanging Coreflood botnet

Powered by SC Magazine
 

IP lists en route to foreign authorities.

The US Justice Department has requested the FBI have a further month, until May 25, to continue defanging the Coreflood botnet under Operation Adeona.

Details in the request highlighted the difficult position the FBI faces after swapping out Coreflood's command and control servers with its own earlier this month.

Despite having the technical capability to remotely uninstall Coreflood malware from infected computers, it appears unable to do this for the bulk of victims in part because it cannot directly go to them to seek consent to do so.

In a supporting declaration [pdf] obtained by Wired, FBI special agent Briana Neumiller said that she was certain "the Coreflood software could be used to uninstall itself, if appropriate instructions were issued from a command and control server."

She claimed that FBI testing showed it could restore a Windows operating system to its pre-infected state without affecting any user files on it.

If the FBI requests authority to do this, it would be the first time any US agency has removed malware remotely from the computers of an infected home users, Wired noted in its report.

For now the FBI is limited to do this with organisations or "identifiable victims" with publicly available IP addresses.

The FBI had already issued "request and authorisation to delete" forms to dozens of government agencies, three airports, two defence contractors, five banks, and hundreds of businesses.

The more complicated task of removing Coreflood from home user machines relies on ISPs notifying infected users, antivirus vendors updating signatures and consumers removing the malware.

The FBI had already asked some ISPs to forward a "Notice of Infected Computer" to hundreds of thousands of customers in the US. Notifications were based on a list of IP addresses associated with infection, which was further complicated by the common practice of ISPs allocating dynamic addresses.

It had also requested its International Operations Division to forward a list of IP addresses, separated by country, to relevant foreign authorities .

Despite the legal and technical obstacles to removing the malware, the FBI recorded a dramatic fall in the number of "beacons" or pings from infected machines to its command and control servers in the days after seizing them.

By sending commands to infected machines in the US to stop running Coreflood, the number of beacons fell from 800,000 on 13 April to fewer than 100,000 on 22 April.

Nuemiller speculated this was the result of Coreflood being unable to update itself of infected computers, buying time for antivirus vendors to release signatures for the latest version of it. It could also have been the result of customers disconnecting their computers or removing the malware after ISPs notified them.

Copyright © iTnews.com.au . All rights reserved.


FBI details difficulties defanging Coreflood botnet
 
 
 
Top Stories
Matching databases to Linux distros
Reviewed: OS-repository DBMSs, MariaDB vs MySQL.
 
Coalition's NBN cost-benefit study finds in favour of MTM
FTTP costs too much, would take too long.
 
Who'd have picked a BlackBerry for the Internet of Things?
[Blog] BlackBerry has a more secure future in the physical world.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
Which is the most prevalent cyber attack method your organisation faces?




   |   View results
Phishing and social engineering
  70%
 
Advanced persistent threats
  3%
 
Unpatched or unsupported software vulnerabilities
  12%
 
Denial of service attacks
  6%
 
Insider threats
  10%
TOTAL VOTES: 704

Vote