The US Department of Justice and the FBI have wounded the huge Coreflood botnet as part of the most "complete and comprehensive enforcement action ever taken by United States authorities".
The botnet, said to have operated for more than a decade, controlled a fleet of two million infected computers. It works by recording keystrokes, stealing usernames, passwords and financial information.
The US Attorney's Office for the District of Connecticut alleged that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications.
In one example cited as part of a civil complaint, Coreflood was claimed to have hijacked an online banking session and redirected funds to a foreign account.
US authorities filed a civil complaint against 13 defendants, executed criminal seizure warrants and issued a temporary restraining order. Five command and control servers and 29 domain names used to communicate were seized by authorities. Servers were replaced with dummy machines.
Infected computers were jammed under a temporary restraining order using a "command that temporarily stops" Coreflood's malware. The aim is to prevent the malware from being updated to avoid detection by antivirus. The government said it will not have access to "any information that may be stored on an infected computer".
In a 2008 blog, Dell malware research director Joe Stewart said that Coreflood exploits Microsoft telnet substitute PsExec. The bot activates when a Domain Administrator logs on, exploiting privileges to perform remote installation on hosts linked through PsExec. It uses an SQL database to sort through data stolen from keyloggers by making simple queries.
Stewart offered analysis on how Coreflood infects machines:
- First-stage trojan bot (not Coreflood) is installed via drive-by browser exploit (NCT Audiofile2 ActiveX control);
- Bot is instructed to download a copy of the Coreflood installer (here named ie1823en.exe, also we have seen wmedia106.exe) and another file, psexec.exe (or ps2exec.exe or ps3exec.exe) to the temporary directory; and
- Bot is instructed to execute the following command in Windows: cmd /c $TMPDIR\ps2exec.exe \\* $TMPDIR\ie1823en.exe.
"The seizure of the Coreflood servers and internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes," Connecticut Attorney David B Fein said in a statement. "I want to commend our industry partners for their collaboration with law enforcement to achieve this great result."
FBI cyber response branch assistant director Shawn Henry said the move against Coreflood was the first of its kind in the country.
Microsoft, the Internet Systems Consortium and other industry organisations assisted with the crackdown.