Skip the navigation

Feds claim victory over Coreflood botnet

FBI shuts down anti-botnet project, says it reduced Coreflood by 95%

June 23, 2011 01:01 PM ET

Computerworld - Federal authorities have declared victory over the Coreflood botnet and shut down the replacement server that the FBI used to issue commands to infected PCs.

The move was the final step in the two-month "Operation Adeona," an attempt to cripple the botnet that originally controlled an estimated 2.3 million compromised computers.

In mid-April, the U.S. Department of Justice (DOJ) and FBI obtained an unprecedented restraining order that allowed them to seize command-and-control (C&C) servers that managed the Coreflood botnet and replace them with a government-controlled system.

The court order also allowed the DOJ and FBI to issue commands using the replacement server that disabled Coreflood on infected PCs. Later, the FBI used the same server to uninstall the malware from 19,000 machines whose owners had given the agency their consent.

On Tuesday, the government closed the civil lawsuit when a federal judge permanently barred 10 "John Does" from operating Coreflood. Authorities did not reveal the names of the defendants.

The substitute server that had been issuing commands to the botnet has also been pulled from the case, said the FBI.

"The continued operation of the substitute server is no longer necessary, under the circumstances, to prevent the Defendants from using the Coreflood botnet in furtherance of their scheme to commit wire fraud and bank fraud and to engage in unauthorized interception of electronic communications," said FBI Special Agent Kenneth Keller in an affidavit filed June 14 with the court.

Keller said the operation had crippled the botnet.

"The size of the Coreflood botnet has been reduced by more than 95% through a combination of victim notification, coordination with Internet service providers and antivirus vendors, and the operation of the substitute server," Keller said.

The FBI had been measuring Coreflood's activity and size through "beacons," the command requests hijacked PCs sent to the government-run C&C server. On April 13, the day after the DOJ and FBI seized the Coreflood servers, the government replacement received 800,000 beacons. By June 8, the number of beacons was barely discernable on an FBI-provided chart.

Keller credited antivirus companies, which were able to distribute detection and deletion signatures when Coreflood was unable to update itself, for helping subdue the botnet.

Coreflood chart
The FBI said it had reduced the Coreflood botnet by 95% since the mid-April launch of "Operation Adeona." (Graphic: FBI.)


Our Commenting Policies