Feds take down Coreflood botnet

As part of the enforcement action, the DoJ said it filed a civil complaint, executed criminal seizure warrants, and issued a temporary restraining order against the operators of the Coreflood botnet.

The cybercriminals behind Coreflood were able to steal as much as $100 million, the New York Times said, citing various estimates.

The US Attorney’s Office for the District of Connecticut filed a civil complaint against 13 “John Doe” defendants, alleging that the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications as part of the botnet scheme.

In addition, search warrants were obtained for five command and control (C & C) servers throughout the US, and a seizure warrant was obtained in U.S. District Court for the District of Connecticut for 29 domain names.

Finally, the government obtained a temporary restraining order (TRO), authorizing the government to respond to signals sent from infected computers in the US in order to stop the Coreflood software from running. As authorized by the TRO, the government replaced the illegal C & C servers with substitute servers to prevent Coreflood from causing further injury to the owners and users of infected computers and other third parties.

“The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,” said US Attorney David B. Fein for the District of Connecticut.

“The actions announced today are part of a comprehensive effort by the department to disable an international botnet, while at the same time giving consumers the ability to take necessary steps to protect themselves from this harmful malware,” said Assistant Attorney General Lanny A. Breuer of the DoJ's Criminal Division.

Dave Marcus, director of research and communications at McAfee Labs, noted that this is the third takedown of a major botnet in the last six months. In October 2010, the Bredolab botnet was shutdown, and in March 2011, Rustock suffered the same fate. Comparatively, the Rustock botnet was slightly bigger than the Coreflood botnet, Marcus noted, with up to 2.4 million infected machines at its peak.

“We commend and support the actions resulting in the takedown of the Coreflood botnet and the cybercriminals that run it,”  he said, adding, “this is the type of action that needs to happen to make the Internet a safer place.”

What’s Hot on Infosecurity Magazine?