Feds claim victory over Coreflood botnet

FBI shuts down anti-botnet project, says it reduced Coreflood by 95%

1 2 Page 2
Page 2 of 2

Although he didn't call out Microsoft in his affidavit, the company also played a part in the anti-Coreflood effort.

In April, Microsoft used its Malicious Software Removal Tool (MSRT) to bolster the Coreflood cleaning process, and took the unusual step of re-releasing an updated edition of the tool to finger variants that had appeared shortly after the government seized the botnet's C&C servers.

During May, authorities used the substitute C&C server to remotely uninstall the Coreflood malware from some infected Windows PCs. According to Keller, the FBI used the server to issue 19,000 uninstall commands to computers owned by 24 victims.

"None of [the victims] have reported any adverse or unintended consequences from the uninstall commands," Keller reported.

The FBI had previously identified state or local government agencies, airports, defense contractors, banks, universities and hospitals among the victims.

It's likely that the uninstall commands were aimed at organizations with large numbers of infected computers; on average count, each victim received 791 uninstall commands.

The FBI acknowledged that it had not been able to eradicate Coreflood. It had not been able to identify all the victims, and was not allowed to issue uninstall commands to infected computers outside the U.S.

"Under the circumstances, it does not appear that further reductions in the size of the Coreflood Botnet can be accomplished without resort to other remediation techniques, such as a 'blanket' uninstall of Coreflood," Keller said. Presumably, he meant issuing uninstall commands to all infected computers without obtaining permission from their owners.

The FBI did not ask for the authority to do that, Keller added, "given that the size of the Coreflood botnet has already been significantly reduced."

Gregg Keizer covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for Computerworld. Follow Gregg on Twitter at @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com.

Copyright © 2011 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
 
Shop Tech Products at Amazon