U.S. authorities hijack botnet by substituting C&C servers

The U.S. Department of Justice and the FBI have been granted by the federal court the permission to substitute the C&C servers of the massive Coreflood botnet with servers of their own that will be sending out “kill” commands to the infected computers every time they reboot.

The Coreflood Trojan has been infecting machines for years now. At the beginning, it had only DDoS capabilities, but has evolved over time and can now also collect IDs and online baking passwords. In February 2010, the botnet counted some 2.3 millions of bots – of those 1.85 located in the US.

According to AFP, five C&C servers and 29 Internet domain names were seized by the authorities, and the servers were substituted by nonprofit Internet Systems Consortium (ISC) on the agencies’ request.

And not only do these new government-controlled servers send out the “kill” command, but they also collect the IP addresses of the infected machines in order to pass them to ISPs around the country so that they could warn their customers of the infection present on their computer.

Wired reports that only computers located in the US have been made to receive the command that terminates the Trojan’s process, but Microsoft has pushed out an update of their Malicious Software Removal Tool which should remove the Coreflood Trojan from infected computers all around the world.

The US authorities have also filed charges against 13 unnamed foreign nationals suspected of operating the botnet. They have been charged with wire fraud, bank fraud and illegal interception of electronic communications.

This is the first time that the US authorities have effected a swapping of botnet C&C servers with their own. Maybe they were inspired by the action by the Dutch police that resulted in the beheading of the Bredolab botnet?




Share this