In what was described as “most complete and comprehensive enforcement action ever taken by US authorities to disable an international botnet.” the FBI removed a computer infection from an estimated 2.3 million computers. While that certainly is good news, behind it is a sad reality about the state of international computer crime prevention.
Coreflood was a Trojan whose purpose is to create a botnet. Like the giant wooden horse in the Iliad, the computer Trojan presents a seemingly useful program to entice the user to install it and bring the hidden attackers inside the walls of their defenses. A large percentage of what non-experts call ‘viruses’ are in fact Trojans. The technical difference is that viruses are able to self-replicate from one computer to another. A Trojan must trick a new user into each computer.
The soldiers inside the metaphorical wooden horse of Coreflood Trojan was a botnet program. A botnet is a twist on the words robot network. The actual bot software is very simple. Every so often it will contact one of several Command & Control (C&C) servers and get a new set of instructions and possibly deliver the results of the prior command. The owners of the servers, also known as bot herders might use the bot network for mischief or malicious purposes, but in more recent years they rented out the network for other purposes, such as sending spam emails.
The Coreflood botnet is almost a decade old. What that means is that even a really old virus definition file on a really outdated antivirus software would have detected and removed it. Yet the botnet had accumulated over 2.3 million users. That is a depressingly large number of completely unprotected computers.
In 2008, Coreflood’s bot herders took a new direction. They used the botnet to run a program that will listen for and capture the user names and passwords for online banking sites. Now rather than just stealing some idle computer time, the botnet was capturing banking information and stealing large volumes of money. That was what brought serious attention from the FBI.
The FBI in Action.
The FBI requested court permission to not just seize the domain names, but also to impersonate the C&C server. In other words when all those Coreflood infected computers phoned home for new instructions, they were directed not to their old C&C server but to an impostor set up by the FBI. The FBI’s faux C&C server sent to the bot software a new program which removed the Coreflood botnet software! The botnet was globally self-destructed using its own ability to execute remotely commanded actions. Problem solved! Or is it?
While the FBI can be congratulated for being serious and proactive about computer crime, the flip side of the approach taken with Coreflood is that the people responsible are still free. In fact the indictment which the agency filed simply listed thirteen John Does described as ‘foreign nationals’ as the accused. This means that the FBI may very well have no idea at all of the identity of the criminals. The only thing that is generally accepted as truth is that they are a criminal gang located in Russia.
One needs an up-to date antivirus software to stop the crooks. If they haven’t already, it is virtually certain that those behind Coreflood will be setting up new C&C servers and compiling a new version of their botnet software. While it will no doubt take quite a while to trick a new list of 2.3 million users, the crooks do have a list of computers that have not been adequately protected in the past.
By taking this action against the servers and domain names, the FBI implicitly recognized that the persons involved are beyond their reach. Thus, the best the FBI can do is block the technology. While that admission is disheartening, it is better than doing nothing.