Feds Fight To Disable International Botnet Conspiracy

Register now

WASHINGTON – In the first known coordinated action of its kind, the Department of Justice and FBI filed a civil suit, criminal seizure warrants and a temporary restraining order this afternoon to disable an international botnet that has been used to access thousands of bank accounts and businesses.


The botnet is a network of hundreds of thousands of computers infected with a malicious software program known as Coreflood, which installs itself by exploiting a vulnerability in computers running Windows operating systems. Coreflood allows infected computers to be controlled remotely for the purpose of stealing private personal and financial information from unsuspecting computer users, including users on corporate computer networks, and using that information to steal funds.


“The actions announced today are part of a comprehensive effort by the department to disable an international botnet, while at the same time giving consumers the ability to take necessary steps to protect themselves from this harmful malware,” said Assistant Attorney General Lanny Breuer.


Authorities filed a civil suit against 13 unknown “John Doe” defendants, alleging the defendants engaged in wire fraud, bank fraud and illegal interception of electronic communications. In addition, search warrants were obtained for computer servers throughout the country, and a seizure warrant was obtained for 29 domain names. The government also obtained a temporary restraining order, authorizing the government to respond to signals sent from infected computers in the U.S. in order to stop the Coreflood software from running, thereby preventing further harm to hundreds of thousands of unsuspecting users of infected computers in the U.S.


Coreflood is a particularly harmful type of malicious software that records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, known as a command and control server. A computer infected by Coreflood and subject to remote control is referred to as a “bot,” short for “robot.” According to information contained in court filings, the group of all computers infected with Coreflood is known as the Coreflood botnet, which is believed to have been operating for nearly a decade and to have infected more than two million computers worldwide.


Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user’s bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.








For reprint and licensing requests for this article, click here.