Some two weeks have passed since the U.S. Department of Justice and the FBI have been granted by the federal court the permission to substitute the C&C servers of the Coreflood botnet with servers of their own to send out “kill” commands to the infected computers, and the results are showing.
According to ars technica, the FBI has revealed that the pings that the bureau servers have been receiving from infected computers located in the U.S. have fallen from 800,000 to less than 100,000 only a week after they had begun sending out the “kill” command, and that the number of pings from computers outside the country has also experienced a 75 percent drop.
Cut off from the original botnet C&C servers, the Coreflood malware on the infected computers is thus unable to get updated, which allows the security vendors to update their solutions with the signatures corresponding to this latest version and the users to detect and remove the malware.
The decline of pings from infected computers in the U.S. can be attributed to different reasons – it doesn’t necessarily mean that the computers got cleared of the malware. Some users have surely done that, but it is possible that some have shut down their computers until they know how to disinfect them or that some have simply not rebooted their computers since the beginning of this operation.
A new filing from the Justice Department to the federal court includes a request to allow the FBI to keep doing what they have been doing for another month, and also intimates that the government might soon be asking of the court to allow them to instruct the computers to deinstall the Coreflood malware – a potentially historical first request of this kind in the U.S.
They maintain that they have tested the process on purposely infected computers and that there were no adverse effects to the machines. And even thought they say that they will not be doing anything else on the affected computers – for example examining their contents – there will surely be some users averse to the idea. If this request is granted, the government will likely allow them to opt out of the “procedure”.
The fact that this action allowed the FBI to gather the IP addresses of the affected computers and track them down to the actual (U.S.) owners has revealed that some infected computers belong to defense contractors, state and local government agencies, airports, hospitals, educational organizations, financial institutions and a great number of businesses in general.
The FBI has used these lists of IP addresses to get help from the U.S. ISPs with contacting the affected users and explaining them the situation. When it comes to infected computers in the rest of the world, the bureau notified the appropriate foreign law enforcement agencies so that they could notify their countries’ ISPs and users.