Coreflood takedown may lead to trouble

News this week that the US Department of Justice and FBI teamed up to dismantle the unrelenting Coreflood botnet resulted in universal cheers from the security community.

But the rare tactic authorities used to pull the plug on Coreflood -- sending commands to infected computers telling them to cease communication with command-and-control servers -- prompted some IT experts to wonder whether the federal government may have crossed the line.

"Everyone wants botnets to go away, so I'm not sad the botnet will be largely taken down," said Chris Palmer, technology director of the digital watchdog group Electronic Frontier Foundation.

"The issue is this is not a safe way to go about it, and it's divergent with standard practice. It's very dangerous."

To disrupt Coreflood, a nearly decade-old, keystroke-logging botnet blamed for stealing millions of dollars from victims' bank accounts, federal prosecutors secured a court-issued temporary restraining order to replace its five servers with substitute servers under the US Government's control. Such command and control servers sent instructions to infected machines.

That substitution, combined with successfully reverse engineering the malware's code, allowed FBI agents to deliver stop commands to compromised machines, believed to number 2.3 million.

Typically, law enforcement dismantles botnets by taking down such servers through partnerships with international authorities and internet service providers. Often, the botnets crumble for a while but rise again when a new hub is created.

However, in this case, agents climbed another rung on the enforcement ladder by directly communicating with infected systems, telling them to stop talking to the control center.

But some say they've gone too far by doing that.

"They're running the bad guy's code in hopes of getting rid of the bad guy's code," said Palmer, a former senior software engineer at Google. "That's just crazy. If nothing horrible comes of this, it will be because of a combination of sheer luck and surprising politeness on behalf of the malware authors."

Palmer said such a method can lead to "collateral damage." For example, had the Coreflood authors caught wind of the FBI sting, they may have adjusted the trojan to respond to the stop commands in a different way, such as deleting sensitive data from the machines.

But Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, who regularly interacts with Government cybercrime fighters, said he doubts such a scenario would play out.

"It could be valid if the people working this case were clueless," Warner said.

"But they are not and had deep industry review before considering this action. It's a thoroughly tested procedure. If it did harm, they wouldn't have done it."

According to court documents filed April 12 in federal court in Connecticut, the stop commands -- delivered each time the Coreflood-infected computer reboots -- will not cause any damage or allow the US Government the ability to view or copy any contents on a victim's machine.

Meanwhile, HD Moore, founder of the open-source Metasploit hacking toolkit and the CSO of vulnerability management company Rapid 7, said he is less worried about the impact this operation may cause and more concerned about the precedent that it sets.

"What's scary about it is let's say in the future they want to use the same technique," he said. "It's getting the FBI involved in an area where they traditionally haven't been involved. What's stopping them from going all the way to the extreme and shutting down political discourse they don't like?"

Once they assumed control of the servers, authorities "could've done anything they wanted to" to the infected machines, said Moore, adding that many of the computers receiving commands are located outside of the United States.

Warner, however, said this was an exceptional case that had to demonstrate enough burden of proof to convince a judge to issue a temporary restraining order.

"They haven't intruded on the machine," Warner said. "They haven't done anything but tell the software to stop running itself.

"This is a good thing. Coreflood was regularly draining people's bank accounts since 2004."

This article originally appeared at scmagazineus.com