Coreflood dries up

The US Department of Justice's announcement yesterday of the takedown of the command and  control (C&C) servers for the Coreflood bots (detected by ESET as Win32/AFCore) and seizure of their domains marks another step in the growing awareness that crime, whether it is committed with bullets or with botnets, is still crime. 

This particular botnet, about a decade old, was primarily used to steal bank credentials for financial fraud[1].  While not a particularly "sexy" or immediately visible crime compared to botnets which engage in spam and DDoS, the Coreflood botnet has certainly been effective:  In the complaint filed with the United States District Court in Connecticut, US Attorney David B. Fein, states that losses from the botnet totaled over half-a-million dollars from just four victims. Given that Coreflood has infected over two million computers, the actual amount of dollars stolen is likely to be orders of magnitude higher.

Legally, the actions the United States has chosen against the thirteen John Doe's behind this organized criminal activity are unsurprising, with restraining orders and injunctions sought to shut down the botnet's C&C servers and identify those behind it.  Where things get more interesting is in the method chosen to defang the botnet:  The US Attorney is asking for authorization to operate a substitute C&C server to take over control of the botnet, preventing its "rightful" (not to mention, criminal) owners from stealing any further information from compromised computers or from sending further instructions or updates to the bot in order to regain control of it.

There's some sense in doing this, as preventing updates to the botnet ensures that the government's industry partners (e.g., antimalware companies like ESET) have effective tools to detect and remove the bot from infected computers without having to worry about countermeasures from the botnet's criminal operators, while preventing new communications allows Internet providers to monitor their networks for traffic known to be from the bot.

The government, on its part, states that it shall not "…store, review, or otherwise use any data that may be transmitted to the substitute server from an infected computer, other than the originating IP address, network port and the date and time of the transmission."  It seems the government will be using its substitute C&C server to send "shutdown" commands to infected computers in the U.S. and will not modify or look at data on infected systems.  However, the shutdown command only tells Coreflood to stop for that particular session.  As soon as the computer is rebooted, Coreflood runs again and beings collecting data until it accesses the C&C server and receives a shutdown command.

One thing the government will do is notify Internet service providers of infected computers on their network.  The ISPs are then responsible for notifying their customers of the infection.  This could, however, have some unanticipated effects:

  1. One wonders if other criminals may take advantage of such notifications to distribute malware.  While we tend to think of the era of mass mailed malware as being behind us, such attacks are largely opportunistic, and this action represents a possible action by other criminals wishing to take advantage of legitimate communications.
  2. The U.S. government is performing remediation on behalf of its citizens and, as a result, is only redirecting traffic from U.S.-based IP addresses.  Will they be responsible for notifying other governments or ISPs?  What about if the government in question is hostile to the U.S., is known to engage in monitor of its citizens' electronic communications?  For that matter, suppose there is some level of involvement with the malware by a foreign government? 

In the case of the first point, these types of social engineering communications have occurred for years, and it is not likely that any such campaigns to spread additional malware have any great success.  As regards the second point, further thinking is needed.

Interestingly enough, the government also stated it would provide a means of opting out of the Coreflood remediation, should someone wish to continue to be infected.  Outside of a security researcher's computer, I cannot think of any scenarios where one might wish to do so, however, it does indicate a good faith effort on the part of the government to cover as many circumstances as possible, such as possible issues with unauthorized access or modification of data.

One thing I would like to point out, though, is that this is not the first time a government has seized control of a botnet, although it is a first for the American government.  In October, 2010, the Dutch High Tech Crime Unit took control of the C&C servers for the Bredolab botnet, not just beheading it, but sending additional commands to infected computers for them to download and run a program that advised computer operators that their computers were infected.  The American actions seem far more benign by comparison.  For more information on that incident, please review my colleague David Harley's article here in ESET's Threat Blog.

All in all, this seems to be a reasoned and well-thought-out approach by the US government, with steps being taken to minimize the risks to computers and whatever private information they may hold.  Larger questions remain, though, such as whether this will be a successful method of combating this type of crime and if the actions can be repeated with other botnets.

I suspect this is a learning experience as much as for the government as it is everyone else, and the resulting lessons will determine what sort of legal actions are taken in the future.


Aryeh Goretsky, MVP, ZCSE
Distinguished Researcher




[1] The actual crimes listed in the complaint filed were bank fraud, unauthorized interception of electronic communications and wire fraud. 




Author Aryeh Goretsky, ESET

Follow us

Copyright © 2017 ESET, All Rights Reserved.