FBI takes down coreflood botnet (after 8 years in operation?)


V

Virus Guy

Is this the same "coreflood" that's been around since 2002?

Controlled by the same people?

=====================================================

http://www.computerworld.com/s/arti...pples_Coreflood_botnet_says_FBI?taxonomyId=17

Court order cripples Coreflood botnet, says FBI

But Microsoft re-releases Coreflood scrubber

By Gregg Keizer
April 26, 2011 04:32 PM ET

Computerworld - Although the Federal Bureau of Investigation (FBI) said
a federal temporary restraining order has crippled the Coreflood botnet
in the U.S., Microsoft today took the unusual step of pushing a second
version of its monthly malware cleaner to Windows users to again quash
the botnet.

Coreflood made the news earlier this month when the U.S. Department of
Justice (DOJ) and FBI obtained an unprecedented temporary restraining
order that allowed them to seize command-and-control servers that
managed the botnet's estimated 2.3 million compromised PCs.

Those servers were replaced by government-controlled systems.

The court order also allowed the DOJ and FBI to issue commands using
those replacement servers that disabled, but did not uninstall,
Coreflood on infected PCs that asked for new commands.

In an affidavit filed in a Connecticut federal court last Saturday, FBI
Special Agent Briana Neumiller said that the server seizure and
"kill-switch" instructions issued to the malware have crippled the
botnet.

On April 13, the day after the DOJ and FBI seized the Coreflood servers,
the government replacements received nearly 800,000 command requests, or
"beacons," from Coreflood-infected machines in the U.S. A week later,
the number of beacons had plummeted to less than 100,000.

"Two possible reasons why the Coreflood Botnet is getting smaller are as
follows: (i) because Coreflood has not been able to update itself on
infected computers, anti-virus vendors have been able to release virus
signatures capable of detecting the latest versions of Coreflood,"
Neumiller said in her affidavit. "And (ii) as victims of Coreflood are
notified of their infected computers, they may be disconnecting the
infected computers from the Internet or taking other measures to disable
or remove Coreflood."

The restraining order, which was transformed from "temporary" to
"preliminary" this week by U.S. District Court Judge Vanessa Bryant,
allows the DOJ and FBI to identify infected computers using IP
addresses. The agencies then notify the ISPs (Internet service
providers) responsible for those addresses; the ISPs are to send the
owners of those PCs a form letter telling them that their computer is
infected and urging them to run tools to delete the malware.

While the volume of beacons from U.S. PCs has fallen to one-tenth of the
number prior to the takedown, Neumiller noted that beacons from foreign
machines -- which haven't received instructions to stop running the bot
-- have not dropped as rapidly. As of last Friday, beacons from foreign
PCs were about a quarter that of April 13.

Neumiller also said that the FBI has identified "seventeen state or
local government agencies, including one police department; three
airports; two defense contractors; five banks or financial institutions;
approximately thirty colleges or universities; approximately twenty
hospital or health care companies; and hundreds of businesses" infected
with Coreflood.

Microsoft today said it was releasing another edition of its Malicious
Software Removal Tool (MSRT) to bolster the cleaning process.

"This edition includes variants of Afcore released by the criminals
behind it at approximately the same time as the previous edition of
MSRT." said Jeff Williams, a principal group program manager with the
Microsoft Malware Protection Center.

Typically, Microsoft ships a new version of its Malicious Software
Removal Tool (MSRT) only once each month as part of its Patch Tuesday
package. The free MSRT, which targets a limited number of malware
families, scrubs PCs of attack code. Microsoft feeds the tool to users
through the same Windows Update mechanism that serves up security
patches.

Microsoft said earlier this month that it added Coreflood detection to
the April 13 version "at the request of the FBI and the Department of
Justice." Today the company declined to confirm whether it re-released
the tool at the request of the DOJ and FBI.

Neumiller's affidavit included a chart that showed a resurgence in
Coreflood beacons on April 18. That spike may have prompted the DOJ and
FBI to ask Microsoft to reissue MSRT.

Microsoft's newest version of the MSRT can be manually downloaded from
the company's Web site. Windows PCs should receive the revised tool
shortly via the Windows Update service.
 
Ad

Advertisements

D

David H. Lipman

From: "Virus Guy said:
Is this the same "coreflood" that's been around since 2002?

Controlled by the same people?

=====================================================

http://www.computerworld.com/s/arti...pples_Coreflood_botnet_says_FBI?taxonomyId=17

Court order cripples Coreflood botnet, says FBI

But Microsoft re-releases Coreflood scrubber

By Gregg Keizer
April 26, 2011 04:32 PM ET

Computerworld - Although the Federal Bureau of Investigation (FBI) said
a federal temporary restraining order has crippled the Coreflood botnet
in the U.S., Microsoft today took the unusual step of pushing a second
version of its monthly malware cleaner to Windows users to again quash
the botnet.

Coreflood made the news earlier this month when the U.S. Department of
Justice (DOJ) and FBI obtained an unprecedented temporary restraining
order that allowed them to seize command-and-control servers that
managed the botnet's estimated 2.3 million compromised PCs.

Those servers were replaced by government-controlled systems.

The court order also allowed the DOJ and FBI to issue commands using
those replacement servers that disabled, but did not uninstall,
Coreflood on infected PCs that asked for new commands.

In an affidavit filed in a Connecticut federal court last Saturday, FBI
Special Agent Briana Neumiller said that the server seizure and
"kill-switch" instructions issued to the malware have crippled the
botnet.

On April 13, the day after the DOJ and FBI seized the Coreflood servers,
the government replacements received nearly 800,000 command requests, or
"beacons," from Coreflood-infected machines in the U.S. A week later,
the number of beacons had plummeted to less than 100,000.

"Two possible reasons why the Coreflood Botnet is getting smaller are as
follows: (i) because Coreflood has not been able to update itself on
infected computers, anti-virus vendors have been able to release virus
signatures capable of detecting the latest versions of Coreflood,"
Neumiller said in her affidavit. "And (ii) as victims of Coreflood are
notified of their infected computers, they may be disconnecting the
infected computers from the Internet or taking other measures to disable
or remove Coreflood."

The restraining order, which was transformed from "temporary" to
"preliminary" this week by U.S. District Court Judge Vanessa Bryant,
allows the DOJ and FBI to identify infected computers using IP
addresses. The agencies then notify the ISPs (Internet service
providers) responsible for those addresses; the ISPs are to send the
owners of those PCs a form letter telling them that their computer is
infected and urging them to run tools to delete the malware.

While the volume of beacons from U.S. PCs has fallen to one-tenth of the
number prior to the takedown, Neumiller noted that beacons from foreign
machines -- which haven't received instructions to stop running the bot
-- have not dropped as rapidly. As of last Friday, beacons from foreign
PCs were about a quarter that of April 13.

Neumiller also said that the FBI has identified "seventeen state or
local government agencies, including one police department; three
airports; two defense contractors; five banks or financial institutions;
approximately thirty colleges or universities; approximately twenty
hospital or health care companies; and hundreds of businesses" infected
with Coreflood.

Microsoft today said it was releasing another edition of its Malicious
Software Removal Tool (MSRT) to bolster the cleaning process.

"This edition includes variants of Afcore released by the criminals
behind it at approximately the same time as the previous edition of
MSRT." said Jeff Williams, a principal group program manager with the
Microsoft Malware Protection Center.

Typically, Microsoft ships a new version of its Malicious Software
Removal Tool (MSRT) only once each month as part of its Patch Tuesday
package. The free MSRT, which targets a limited number of malware
families, scrubs PCs of attack code. Microsoft feeds the tool to users
through the same Windows Update mechanism that serves up security
patches.

Microsoft said earlier this month that it added Coreflood detection to
the April 13 version "at the request of the FBI and the Department of
Justice." Today the company declined to confirm whether it re-released
the tool at the request of the DOJ and FBI.

Neumiller's affidavit included a chart that showed a resurgence in
Coreflood beacons on April 18. That spike may have prompted the DOJ and
FBI to ask Microsoft to reissue MSRT.

Microsoft's newest version of the MSRT can be manually downloaded from
the company's Web site. Windows PCs should receive the revised tool
shortly via the Windows Update service.


The coreflood botnet takedown was announced in a.p.s on 4/15

http://www.fbi.gov/news/stories/2011/april/botnet_041411/botnet_041411

RLK-F added the following...

http://newhaven.fbi.gov/dojpressrel/pressrel11/pdf/nh041311_4.pdf
 
V

Virus Guy

"David H. Lipman" unnecessarily full-quoted:
The coreflood botnet takedown was announced in a.p.s on 4/15

What group is a.p.s?

Still doesn't explain if this is essentially the same malware that's
been in circulation (and in use?) for the past 8 years (coinciding with
the introduction of win-XP I suppose...)
 
D

David H. Lipman

From: "Virus Guy said:
"David H. Lipman" unnecessarily full-quoted:


What group is a.p.s?

Still doesn't explain if this is essentially the same malware that's
been in circulation (and in use?) for the past 8 years (coinciding with
the introduction of win-XP I suppose...)

Sorry, I used News Group shorthand.

alt.privacy.spyware
 
V

Virus Guy

David H. Lipman said:
Sorry, I used News Group shorthand.

Shorthand is fine (normally).
alt.privacy.spyware

Is that a more appropriate, relevant, topical, or useful place to find
discussions about trojans and botnets?

Does coreflood fall into the catagory of spyware?
 
Ad

Advertisements

D

David H. Lipman

From: "Virus Guy said:
Shorthand is fine (normally).


Is that a more appropriate, relevant, topical, or useful place to find
discussions about trojans and botnets?

Does coreflood fall into the catagory of spyware?

Not really but due to overlap it wasn't OT.
 
Ad

Advertisements

F

FromTheRafters

Rhonda said:
I just opened it again using Firefox. See if you can get it here:

http://usenet.posterous.com/52088287

You should be able to read it on the site or download it.

It didn't work even after I downloaded it to my desktop.

I booted up an old BT3 Linux Live CD and it opened up just fine there.
Maybe I need to replace my pdf reader on Windows. Thanks for the link.

Once the government gets a taste of the botherding business, I wonder if
they'll be able to quit. :blush:)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top