Court order cripples Coreflood botnet, says FBI
But Microsoft re-releases Coreflood scrubber
Computerworld - Although the Federal Bureau of Investigation (FBI) said a federal temporary restraining order has crippled the Coreflood botnet in the U.S., Microsoft today took the unusual step of pushing a second version of its monthly malware cleaner to Windows users to again quash the botnet.
Coreflood made the news earlier this month when the U.S. Department of Justice (DOJ) and FBI obtained an unprecedented temporary restraining order that allowed them to seize command-and-control servers that managed the botnet's estimated 2.3 million compromised PCs.
Those servers were replaced by government-controlled systems.
The court order also allowed the DOJ and FBI to issue commands using those replacement servers that disabled, but did not uninstall, Coreflood on infected PCs that asked for new commands.
In an affidavit filed in a Connecticut federal court last Saturday, FBI Special Agent Briana Neumiller said that the server seizure and "kill-switch" instructions issued to the malware have crippled the botnet.
On April 13, the day after the DOJ and FBI seized the Coreflood servers, the government replacements received nearly 800,000 command requests, or "beacons," from Coreflood-infected machines in the U.S. A week later, the number of beacons had plummeted to less than 100,000.
"Two possible reasons why the Coreflood Botnet is getting smaller are as follows: (i) because Coreflood has not been able to update itself on infected computers, anti-virus vendors have been able to release virus signatures capable of detecting the latest versions of Coreflood," Neumiller said in her affidavit. "And (ii) as victims of Coreflood are notified of their infected computers, they may be disconnecting the infected computers from the Internet or taking other measures to disable or remove Coreflood."
The restraining order, which was transformed from "temporary" to "preliminary" this week by U.S. District Court Judge Vanessa Bryant, allows the DOJ and FBI to identify infected computers using IP addresses. The agencies then notify the ISPs (Internet service providers) responsible for those addresses; the ISPs are to send the owners of those PCs a form letter telling them that their computer is infected and urging them to run tools to delete the malware.
While the volume of beacons from U.S. PCs has fallen to one-tenth of the number prior to the takedown, Neumiller noted that beacons from foreign machines -- which haven't received instructions to stop running the bot -- have not dropped as rapidly. As of last Friday, beacons from foreign PCs were about a quarter that of April 13.
Neumiller also said that the FBI has identified "seventeen state or local government agencies, including one police department; three airports; two defense contractors; five banks or financial institutions; approximately thirty colleges or universities; approximately twenty hospital or health care companies; and hundreds of businesses" infected with Coreflood.
Microsoft today said it was releasing another edition of its Malicious Software Removal Tool (MSRT) to bolster the cleaning process.
"This edition includes variants of Afcore released by the criminals behind it at approximately the same time as the previous edition of MSRT." said Jeff Williams, a principal group program manager with the Microsoft Malware Protection Center.
Typically, Microsoft ships a new version of its Malicious Software Removal Tool (MSRT) only once each month as part of its Patch Tuesday package. The free MSRT, which targets a limited number of malware families, scrubs PCs of attack code. Microsoft feeds the tool to users through the same Windows Update mechanism that serves up security patches.
Microsoft said earlier this month that it added Coreflood detection to the April 13 version "at the request of the FBI and the Department of Justice." Today the company declined to confirm whether it re-released the tool at the request of the DOJ and FBI.
Neumiller's affidavit included a chart that showed a resurgence in Coreflood beacons on April 18. That spike may have prompted the DOJ and FBI to ask Microsoft to reissue MSRT.
Microsoft's newest version of the MSRT can be manually downloaded from the company's Web site. Windows PCs should receive the revised tool shortly via the Windows Update service.
Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is email@example.com.
Read more about Security in Computerworld's Security Topic Center.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts