FBI details difficulties defanging Coreflood botnet

Powered by SC Magazine
 

IP lists en route to foreign authorities.

The US Justice Department has requested the FBI have a further month, until May 25, to continue defanging the Coreflood botnet under Operation Adeona.

Details in the request highlighted the difficult position the FBI faces after swapping out Coreflood's command and control servers with its own earlier this month.

Despite having the technical capability to remotely uninstall Coreflood malware from infected computers, it appears unable to do this for the bulk of victims in part because it cannot directly go to them to seek consent to do so.

In a supporting declaration [pdf] obtained by Wired, FBI special agent Briana Neumiller said that she was certain "the Coreflood software could be used to uninstall itself, if appropriate instructions were issued from a command and control server."

She claimed that FBI testing showed it could restore a Windows operating system to its pre-infected state without affecting any user files on it.

If the FBI requests authority to do this, it would be the first time any US agency has removed malware remotely from the computers of an infected home users, Wired noted in its report.

For now the FBI is limited to do this with organisations or "identifiable victims" with publicly available IP addresses.

The FBI had already issued "request and authorisation to delete" forms to dozens of government agencies, three airports, two defence contractors, five banks, and hundreds of businesses.

The more complicated task of removing Coreflood from home user machines relies on ISPs notifying infected users, antivirus vendors updating signatures and consumers removing the malware.

The FBI had already asked some ISPs to forward a "Notice of Infected Computer" to hundreds of thousands of customers in the US. Notifications were based on a list of IP addresses associated with infection, which was further complicated by the common practice of ISPs allocating dynamic addresses.

It had also requested its International Operations Division to forward a list of IP addresses, separated by country, to relevant foreign authorities .

Despite the legal and technical obstacles to removing the malware, the FBI recorded a dramatic fall in the number of "beacons" or pings from infected machines to its command and control servers in the days after seizing them.

By sending commands to infected machines in the US to stop running Coreflood, the number of beacons fell from 800,000 on 13 April to fewer than 100,000 on 22 April.

Nuemiller speculated this was the result of Coreflood being unable to update itself of infected computers, buying time for antivirus vendors to release signatures for the latest version of it. It could also have been the result of customers disconnecting their computers or removing the malware after ISPs notified them.

Copyright © iTnews.com.au . All rights reserved.


FBI details difficulties defanging Coreflood botnet
 
 
 
Top Stories
Meet FABACUS, Westpac's first computer
GE225 operators celebrate gold anniversary.
 
NSW Govt gets ready to throw out the floppy disks
[Opinion] Dominic Perrottet says its time for government to catch up.
 
iiNet facing new copyright battle with Hollywood
Fighting to protect customer details.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
In which area is your IT shop hiring the most staff?




   |   View results
IT security and risk
  26%
 
Sourcing and strategy
  12%
 
IT infrastructure (servers, storage, networking)
  21%
 
End user computing (desktops, mobiles, apps)
  15%
 
Software development
  26%
TOTAL VOTES: 339

Vote
Would your InfoSec team be prepared to share threat data with the Australian Government?

   |   View results
Yes
  58%
 
No
  42%
TOTAL VOTES: 143

Vote