FBI hijacks Coreflood botnet

US authorities claim to have replaced the command and control servers of the Coreflood botnet with their own kit in an effort to weaken the impact of the decade-old threat.

The US Department of Justice (DOJ) and the FBI seized five command and control servers and 29 domain names used by the botnet, according to a statement issued Wednesday. 

Authorities were granted permission to swap the servers after gaining a temporary restraining order (TRO) on the machines hosting the software. It was hoped authorities could thus prevent the botnet's operators from updating software on victim systems and continue to avoid detection by antivirus vendors.

"The TRO authorises the government to respond to these requests from infected computers in the United States with a command that temporarily stops the malware from running on the infected computer," the DOJ said.  

Coreflood, one of the oldest botnets in continuous operation, was unique, according to Joe Stewart, director of research for Dell SecureWorks. 

Motives have morphed over time - from simple DDoS to selling anonymity services and even to bank fraud. Over the course of the decade, Coreflood has infected businesses, hospitals, government and a state police agency.

The botnet was capable of infecting an entire domain in one hit and used a MySQL database to track infections, according to Stewart, who uncovered a 50GB database of stolen credentials the botnet had collected in the two years to 2008.  

The DOJ and FBI intend on contacting individuals running Coreflood-infected computers and advising them to remove the malware. However, owners can also choose to “opt-out”.

“At no time will law enforcement authorities access any information that may be stored on an infected computer,” the statement said. 

In a similar fashion to Microsoft’s takedown of the Rustock and Waledac botnets, the US Attorney’s Office for the District of Connecticut filed a civil complaint against 13 “John Doe” defendants. The office alleged the defendants had engaged in wire fraud, bank fraud and illegal interception of electronic communications. 

The office noted that in one case, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.