The Tech Herald

Coreflood: Botnet takedown introduces a potentially risky precedent

by Steve Ragan - Apr 18 2011, 06:50

The Department of Justice has killed the Coreflood botnet. Using the courts, they replaced the command center of the botnet itself, and told the drones to halt operations. They did this with nothing more than a Temporary Restraining Order (TRO), some research skill, and a single command. So what does this mean for the typical citizen and cyber investigations? Did the FBI go too far?

By now, considering the extensive hype, most of the technical world knows of the FBI’s success. For those only vaguely aware of the story, it starts with one of the oldest botnets in existence, Coreflood. The Coreflood botnet started out as a proxy service and DDoS-for-hire operation. In the mid-2000’s, it moved on to financial crime, hijacking the usernames and passwords of bank accounts entered via compromised systems.

Like other Malware that steals financial information, Coreflood captured all the information needed to allow someone to access your online banking application and siphon money. Coreflood has been found in systems on college campuses, law firms, defense contractors, and small businesses. No one knows the exact total when it comes to money lost due to Coreflood, but the Malware infected millions of systems globally, so the financial impact is nothing to undersell.

With all of this in mind, the FBI decided to act. In their ex-parte request for a TRO against the operators of the command and control (C&C) servers used by the botnet, the FBI reported that 2,336,542 infected systems were receiving orders from the C&Cs. Of those systems, 1,853,005 were located in the U.S. In addition, the C&C servers hosted 29 domains, which the bot used for communications.

The FBI asked the court to compel the domain registrars to modify DNS, so that instead of communicating with the criminal’s domain, the infected computer would be talking to a system setup by the federal agency itself. When the infected system started talking to the FBI’s server, a type of non-critical kill command was returned. In short, new C&C servers told the infected system’s Coreflood program to take a nap and stop running. Neither the FBI, nor ISC, removed the Coreflood Malware from the infected systems.

“The recent action by the US Department of Justice set a precedent for what computer systems fall within the scope of a malware investigation. The DOJ authorized the FBI to not only take over the Command and Control servers of the botnet, something they do frequently today, but to also send the ‘shutdown’ command to any infected client connecting to these servers,” commented Rapid7’s the Chief Security Officer and creator of Metasploit, HD Moore.

“This action was benign and itself is not controversial. What is controversial is how jurisdiction rules apply to systems that are connected to a FBI operated Command and Control server. The infected systems included computers owned by US citizens who had no knowledge of the operation, in additional to systems outside the United States.”

This hints at a future where the FBI will take a more active role in operations, Moore added. Extended to the extreme, the DOJ could apply the actions taken with Coreflood to copyright infringement sites and whistleblowing sites such as Wikileaks. If the FBI can hijack a server deemed to be used as part of criminal activity, Moore continued, this new “power” gives them a way to extend the investigation further, directing it towards the systems accessing the server.

“This leads to worrying situations where leaked documents could be replaced by fakes that contain tracking code and pirated material may be replaced by Trojan horse applications, all within the legal context of shutting down criminal activity. The ability to access not just a specific server, but the “next hop”, may be viewed as hostile activity by foreign governments as well,” Moore said.

“If the Chinese government hijacked a botnet and authorized itself to send commands to infected systems in the US, you can bet that this would be seen as an imminent threat to national security. In reality, this case just underlines what we already know; a government agency doesn’t need to break into your systems to gather data, the malware writers are already providing the means to do so for them.”

In a statement, the DOJ said they were working with Internet service providers to identify as many innocent victims as possible.

“Identified owners of infected computers will also be told how to "opt out" from the TRO, if for some reason they want to keep Coreflood running on their computers. At no time will law enforcement authorities access any information that may be stored on an infected computer,” the statement explained.

Granted, Microsoft has taken the “opt out” option away from most of the public, given the recent MSRT update. Coreflood was added to Microsoft’s Malicious Software Removal Tool last week on Patch Tuesday, which will remove the Malware if detected.

When it came to the data sent by the systems infected with Coreflood, the FBI and US Marshal Service were prohibited from storing, reviewing, or “otherwise [using] any data that may be transmitted to the substitute serer…” Yet, will this be the case for future operations?

Likewise, the phrase “reasonably determined” was used to detail how the FBI was to locate computers in the U.S. when issuing a sleep command. What’s considered reasonable? For the record, nothing released by the DOJ has data on the aftermath of the operation, including any incidents where a non-U.S. system was given instructions.

Moore’s comments open up a new line of debate.

So what do you think? Is this a non-issue, or does the DOJ’s actions raise the need for questions and a deeper look? The TRO was an ex-parte motion, so only one party needed to know about it. If systems in the U.S. are subject to DNS redirection and silent commands by law enforcement, should you be told ahead of time or after the fact?

All of the court documents are here.

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Lamborghini Islero Pictures

Pictures of the Lamborghini Islero. The Lamborghini Islero was produced for just one year from 1968 to 1969. Just 225 were made: 125 of the standard version and 100 of the updated S version. It replaced the Lamborghini 400GT. The original Lamborghini Islero had a 3929cc V12 engine producing 325bhp and could do 0-60mph (0-97kph) in 6.4 [...]

The post Lamborghini Islero Pictures appeared first on Autosaur.

Lamborghini Jarama Pictures

Pictures of the Lamborghini Jarama. The Lamborghini Jarama was built between 1970 and 1976. Just 328 were ever produced. It was essentially a redesigned Lamborghini Islero made to meet US auto regulations. The original GT model had a 350bhp V12 engine while the later GTS had a more powerful 365bhp version.

The post Lamborghini Jarama Pictures appeared first on Autosaur.

Lamborghini Diablo Pictures

Pictures of the Lamborghini Diablo. The Lamborghini Diablo was produced between 1990 and 2001, with 2884 being made in total. It’s name means ‘devil’ in Spanish. It was replaced by the Lamborghini Murcielago in 2001. There were several different models made, including the VT, Jota, SV, and VT between 1990-1998, and the SV, updated VTand [...]

The post Lamborghini Diablo Pictures appeared first on Autosaur.