FBI takes on Coreflood botnet - but is this a step too far?

Filed Under: Law & order, Malware, Privacy

Two weeks ago, the Federal Bureau of Investigation (FBI) obtained a court order in Connecticut, USA. This court order allowed the FBI to undertake an anti-cybercrime operation of a sort which had never been authorised before in America.

Not only did the cops seize various US-based Command and Control (C&C) servers belonging the Coreflood botnet, but they also redirected all traffic intended for those servers to a surrogate server under their own control.

When infected PCs connected to the surrogate, the cops instructed the bot process to terminate, providing that the PC appeared to be in the US, and thus under their jurisdiction.

What made this court order a first in the US is that it gave law enforcement permission to interfere directly with computers belonging to users who weren't being investigated, or charged with any crime.

The motivation for this novelty was that the Coreflood bot family is notorious for exfiltrating data from infected PCs. As the FBI's Temporary Restraining Order puts it, Coreflood sets out:

to commit wire fraud and bank fraud in violation of Title 18, United States Code, Sections 1343 and 1344, and to engage in unauthorised interception of electronic communications in violation of Title 18, United States Code, Section 2511.

But the Electronic Frontier Foundation (EFF), a worldwide privacy advocacy group, expressed concerns about this sort of legally-endorsed interference. In particular, the EFF pointed out that there is something unappealing about sending commands of any sort to unknown malicious code on someone else's computer without their explicit permission.

This may sound like a petty objection - and perhaps, in the real world, it is - but unless you know exactly which variant of the bot is on each PC, there is always a potential risk with trying to use a bot against itself. What if the crooks have deliberately rewired the "stop" command to carry out a "format hard drive" operation instead?

Nevertheless, the FBI went ahead, and the exercise seems to have been a success. So much so, in fact, that the cops went back to court over the weekend to ask for the two-week court order to be extended for a further month.

The new court application shows that the original two-week intervention had a measurable effect, documenting graphically the decrease in US-based PCs which tried to connect to the FBI's surrogate C&C server:

The cops also compared the relative drop in Coreflood activity in the US and overseas. Sending "stop" commands to the infected PCs was noticeably more effective than simply cutting those PCs off from the C&C servers:

The big difference in the new court application is that the FBI is now asking to be allowed to uninstall Coreflood from infected PCs, not just to stop the bot process temporarily.

The FBI says it will only attempt this sort of automatic remote disinfection on "infected computers of identifiable victims who have provided written consent to do so." This should keep the EFF happy, but it won't be half as effective as blindly going ahead with automatic disinfection, without waiting for an exchange of written agreements.

Of course, even court-sanctioned auto-cleanup wouldn't solve the real problem. Hundreds of thousands of users in the US (and many more than that overseas) have allowed themselves to get and to remain infected by malware which is comparatively easy to detect, remove and prevent.

As the FBI's court application wryly notes in conclusion:

While the use of an "uninstall" command to remove Coreflood cannot be considered a replacement for the use of properly configured and updated anti-virus software, removing Coreflood from infected computers will at least serve to eliminate a known threat to that victim’s privacy and financial security.

These infected PCs actually pose a known threat not only to the victims, but also to the internet as a whole, and they advertise their infection by openly calling home to the C&C servers.

So, perhaps the FBI should have applied for permission to go at the problem in a much more gung-ho fashion, without the written permission clause?

What you you think?

, , , , , , ,

You might like

20 Responses to FBI takes on Coreflood botnet - but is this a step too far?

  1. Guest · 1626 days ago

    How about: Authorize the FBI to have a block placed on the user's internet connection until they clean their computer up.

    • Malware Fighter · 1602 days ago

      That then creates another problem. Users won't be able to download and install antivirus/antimalware programs or even update them. They'll have to go to another computer and download the programs on a USB stick or burn it to a CD.

      I suppose you could also buy the AV software @ Walmart, Best Buy, etc but if that AV fails to remove the botnet then you have lost the money you paid for it b/c opened software can not be returned for a refund.

      And we ALL know how many people in the US are not good enough with computers to achieve this. Obtaining good security software is a challenge for them because they don't know which is the right one to choose, all AVs don't detect every infection (in this case I bet some of the major AVs don't even detect this damn botnet) or it could lead to the worst side effect. Which is the user mistakenly installing a fake AV program while searching for a good AV program or purchasing a subscription to one of the real AV companies but that AV ends up not removing the botnet because it can't detect it (aka a waste of $80 since I don't think the AV industry is in the habit of giving back refunds and now you have to find another AV that CAN remove the botnet).

      • Robert W. · 1177 days ago

        Most antivirus companies offer a free 60 day trial of their software, which
        can be used to remove an infection. If one company's software doesn't
        work, then another one can be tried. The end-user would only be out the
        time involved installing and uninstalling programs and temporary charge
        to their credit card account, which can be refunded at every stage in the
        case of downloaded software.

        This seems like a reasonable resolution to the problem, and privacy is
        maintained by computer owners to the extent practical, and not in gov-
        ernment hands either.

        • jamie · 1135 days ago

          problem i found is those trials will detect viruses but if you want to actually remove a detected virus you get directed to a buy it page where you have to pay first --- really helps if one of those viruses is set to steal your credit card info as you enter it just to try to remove the virus

      • Marty G · 770 days ago

        Perhaps it could be a selective block that only allows connections to sites that can actually solve the problem?

  2. dave · 1626 days ago

    My favorite category is not there. The FBI Programmers cannot be trusted to be "as good as" the "crackers" in every case. However, an Open Source group established to do this will be. I would be intrigued by the very nature of the "Open Source Cracker Bashers" and the data-base established of the people who look at the "Open Source" code.

    Most "Crackers" appear to be children and non-Computer Whizkids who work with one of the prepackaged codesets out on the net. Those should be attacked as fast as you can AND the young perpetrators should have their pee-pees whacked, publicly so the practice loses its glamor. (You don't want them to reproduce if they are untrainable.) I don't advocate putting them in the legal system, but I would make sure they had a mentor when they coded (for awhile.)

    If the government has the money to hire these programmers, the programmers should be working to take the Power, Water, Trucking, Railroad, & Sewage systems OFF THE NET.

  3. I think there should be another option:

    The FBI informs the computer owner that their computer is unwittingly hosting illegal software and that they have a time period (two weeks?) after which time the FBI will take further action such as disinfection of the computer.

    This would convert the computer owner to a knowledgeable state where if they continued knowingly running software that was actively harming other computers they would be knowingly committing some kind of crime. This would give the FBI et al access to a much greater range of remedies. This may work internationally too albeit in a limited way.

    Hopefully a letter like this would cause most users/owners to take action.

    The letter would also have a nice bit with lots of information on how to effect a clean up along with free anti virus installation. Also it should mention a list of companies that would do the work for a discount fee.

    • Guest · 1625 days ago

      I like this option best.

      The city will come and clear weeds on your property if it is considered a fire hazard and you don't respond to their notifications. They will then bill you for the service.

      Why can't something similar be done with known financial hazards? At least for users they are able to coerce your ISP into identifying...

    • Mary · 1625 days ago

      I agree with the idea of notification warning PC owners of the infection on their PC but would add temporarily blocking the malware as well as offering free or discounted virus protection. If the FBI is going to get involved with cleaning up the internet then the only true way to reduce threats to financial and personal information is to offer on going protection as well. I pay about $80 a year for my current anti virus program. I would not mind paying the same or less to a government sponsored service that not only provides my PC with on going protection but also searches for infected machines as well.

      • I Mnster · 1622 days ago

        Free Antivirus programs and malware tools have been available for some time.
        AVG, AVAST (both are effective antivirus)

        Malware Bytes - a great tool for detecting and removing malware.
        CC Cleaner - also good for cleaning out files that are slowing down your computer.

        All of these are free and downloadable.

    • Marty G · 770 days ago

      Unfortunately, many scams pose as law enforcement notifying the user of an infection etc. And if the FBI actually started doing this, it would lend credence to the scams and cause even more confusion. Botnet control nodes are easily detected, ISPs could deny traffic to control nodes based on publicly maintained blacklists and at the same time maintain a database of infected client machines. The ISPs could contact the customers via their normal snailmail channels along with their statements perhaps.

  4. James BikeMan Gould · 1626 days ago

    Isn't this just a legal approach to something like the Welchia Worm? ( http://en.wikipedia.org/wiki/Welchia ) Which helped protect users against the infamous Blaster Worm. One of the problems with the internet is that anybody can use it - whether they're intelligent enough to user protective software or not!

    • Paul Ducklin · 1626 days ago

      Ah! How time files when you're having fun! Welchia, aka Nachi, is written up here for those with a sense of history: http://www.sophos.com/en-us/threat-center/threat-...

      The problem with Nachi and other "set a virus to catch a virus" viruses is that they're viruses.They spread automatically, breaking into and infecting other PCs without permission (and regardless of jurisdication) and then spread onwards from those PCs to the next lot, and so on. So there is a huge problem of control - previously uninfected (albeit unpatched and vulnerable systems) become infected. If there's a bug in the virus, how do you fix it? How do you call it back?

      The FBI proposal is very different. PCs which are already reaching out to a specific server for instructions - PCs which are already infected - are being given alternative instructions by order of a court. The FBI isn't trying to break into those PCs, but merely taking advantage of the fact that the PC has already "asked for" some instructions to follow.

      The FBI isn't trying to break into PCs which might be at risk of Coreflood but aren't yet infected. Nor are they instructing already infected PCs to go looking for other parts of the bot network to break into in turn.

      (I'm deliberately not taking sides here. We want to hear what our readers think :-)

      • dave · 1625 days ago

        I have absolutely no problem with this other than the caveat that the FBI Programmers are probably not good enough to write the code to clean the captured machines. And I do believe that they should "clean" the infection off the machines that are "phoning in." Since they are in a position to replace the server I would also expect huge Press Releases and very Public Trials and a Guantanamo-like prison with Joe Arapaio in charge and pink shorts in the middle of the desert. But it does no good to have a long sentence, the big thing is to utterly emasculate their User Name and Nicknames and Reputation.

      • dave · 1625 days ago

        Add this to the other one.

        If they do a crime with their Bot-Net, then they should Do The Time.

  5. dave · 1626 days ago

    1) I do not want the FBI to have a "per-user granularity" with their tools. If they can block me, they can block everybody they think is like me,

    3) The FBI should NEVER be big enough to audit 300 million users. They should never be allowed to inform a User that his machine is "Infected." The biggest problem right now is the million and a half Websites that tell you that your machine is infected and that they have the cure...

    4) As I said above, I don't believe we have enough people capable of writing that anti-cracker stuff. I haven't heard from Gene in years, I suspect he has gone "behind the fence."

    • Paul Ducklin · 1625 days ago

      The second (third?) point is a tricky one. The Dutch police recently did remote mitigation of the Bredo bot - they uploaded a program to infected PCs which called home, and the program gave them a warning and a link to helpful instructions. Of course - as you suggest - this is just the sort of thing that 1,500,000 websites will popup to warn you, only to whisk you off to a Fake Anti-Virus page. How are users to tell the difference?

      On the other hand, are we to shy away from warning users that they have malware just because there are lots of fake warnings popping up?

      (The simple answer to the "warning problem" is for the courts to authorise silent and automatic cleanup so no warning even appears. But whether or not unannounced cleanup is OK is the issue we're voting on in the poll :-)

  6. T.Anne · 1625 days ago

    Personally, I think there are two options:

    A) block the computer from accessing the net. You can have it go to a particular web page or pop up a note explaining why. Odds are people will disregard that as some sort of scam though. A physical mailer could be sent second - but then there's the issue of privacy... and again, they could think it's junk mail. As a result, I think it'd be best for their service provider to be notified and the provider to reach out to the customer explaining why they won't be able to access the internet until their computer is cleaned and walking them through the steps on how to do that...

    B) I'd rather them clear it without consent then sit there waiting for infected users to approve the action while they can still be on the net. If people were going to their houses and taking their computers - that'd be crossing the line. Pushing something to thier computer to make it safe is smart - and protects others from the infected user's neglect... in a way - it's protecting them from themselves... and others from them.

  7. Mary Fox · 1625 days ago

    If I had a dime for every Nigerian scam email I have received that purports to be from the FBI or such like, I would never need to work another day in my life. How often have you routinely deleted these, usually without opening them? In the absence of an easy way for users to realize right off that any notification on the Coreflood is legitimate and won't land you in some pop-up hell, the attempt is unlikely to be successful.

    My feelings about letting the FBI automatically clean users' computers with or without permission are definitely mixed. From the standpoint of preventing identity theft and the fact that many users don't have the brains to scan their own computers on a regular basis, it seems to make a lot of sense. On the other hand, I am deeply disturbed by the extent to which our electronic communications are able to be, and are, monitored without probable cause, initially to seek out supposed "terrorists" and increasingly people engaged in all manner of political activism. There is a "big brother" quality to all of this that the EFF has good reason to be queasy about.

    Paul Ducklin's point in the comments -- that 'PCs which are already reaching out to a specific server for instructions - PCs which are already infected - are being given alternative instructions by order of a court. The FBI isn't trying to break into those PCs, but merely taking advantage of the fact that the PC has already "asked for" some instructions to follow' -- is a valid one. I would not be inclined to object to having the FBI uninstall the malware AS LONG AS no other information is obtained from the users' computers or their ISPs. This would obviate any attempt to send personalized notifications.

    It is a must that whatever is decided upon be done in as open and transparent a manner as possible without giving hackers enough information to circumvent it.

  8. Patrick · 1429 days ago

    I have no problem with them remotely executing and removing coreflood without a user's permission. Face it, if threats such as this are to be eliminated, this is the only way, and if you told someone they had a high level infection that was stealing all of their data and putting them at risk financially, how many would refuse if you offered to fix it for free?

    If we are going to clean up the internet, it isn't going to happen by the users. We've learned that much already.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog