Now that the Federal Bureau of Investigation has successfully disarmed the Coreflood botnet temporarily, the next step is to get the malware off infected machines.
The number of “beacons”, or requests, from Coreflood zombies to the command and control (C&C) servers have declined by over 90 percent in the week since the FBI moved in. The agency has raided and seized five C&C servers and 29 domains used to control the Coreflood botnet, according to court documents filed April 22.
The beacon requests have dropped from about 800,000 on April 13, two days before the raid, to less than 100,000 on April 22, according to court papers.
As part of the raid, the United States District Court of Connecticut also issued a temporary restraining order that allowed the Department of Justice to substitute the seized rogue servers with FBI-controlled systems. The new servers acted as C&C servers for the existing zombie army, pushing out a “kill signal” to terminate the malware running on the infected machines.
While the kill signal stopped Coreflood from running, it was only a temporary fix because it had to receive fresh instructions to “stop” the malicious process every time the infected machine was rebooted. It was critically important to remove the malware from the machine altogether.
The FBI-controlled servers prevented the malware from updating itself, giving security vendors the time to release fixes and update malicious software removal tools. They “are no longer faced with a moving target and have been able to release virus signatures capable of detecting the latest versions of Coreflood,” the court papers said.
Microsoft released an out-of-band update for its Windows Malicious Software Removal Tool on April 28 to remove Coreflood from infected machines. Cyber-criminals released new Coreflood variants around the same time as Microsoft updated the tool as part of the April Patch Tuesday. The latest update will allow Microsoft to remove Coreflood and several other malware families permanently.
Other vendors are expected to issue their own updates to their security scanners and malware removal tools so users can remove the infection on their own.
The original court order gave the FBI two weeks to temporarily deactivate the zombies and notify affected users as vendors pushed out removal tools. The FBI is working with Internet service providers to track down users based on their IP addresses. The government asked for an additional 30 days, now due to expire May 25, to complete “Operation Adeona” by deactivating the malware and to notify affected users that their systems had been compromised.
The FBI was also collecting explicit permission from the victims to remotely remove the malware permanently.
“Removing Coreflood in this manner could be used to delete Coreflood from infected computers and to ‘undo’ certain changes made by Coreflood to the Windows operating system when Coreflood was first installed,” wrote FBI Special Agent Briana Neumiller in the court filing.
“There is an ongoing need to prevent a continuing and substantial injury to the owners and users of computers still infected by Coreflood,” the filing said.
The Department of Justice will need another court order to get permission to actually remove the malware permanently from user computers.
The government stepping into remotely execute programs on to user computers is unprecedented in the United States, and privacy watchdog Electronic Frontier Foundation raised some objections. “Its other people’s computers, and you don’t know what’s going to happen for sure. You might blow up some important machine,” said Chris Palmer, technology director for the Electronic Frontier Foundation.
There are multiple Coreflood variants and there is a potential risk with trying to use a bot against itself. “What if the crooks have deliberately rewired the ‘stop’ command to carry out a ‘format hard drive’ operation instead?” Paul Ducklin, head of technology for the Asia-Pacific region at Sophos, wrote on the Naked Security blog.
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…