US Government strikes back with their own Botnet…kinda
Posted by Bradley Wint on 16/04/2011
The US Justice Department is taking a hands-on approach to dealing with the plethora of infected computers across the world that become slaves to the never ending networks of botnets.
In the past, the authorities have tried time and time again to crack down on botnets by taking out the core servers that issue the commands to the drone network. Obviously this solution has its merits, because taking out the source does kill the rest of the army, but with the trojan software still existing on the infected computers, spammers could always set up a new command network to try and regain control of those infected systems.
To combat this anomaly, they are implementing a number of new steps on many levels, including getting the ISPs to notify users if their systems may be infected with botnet control software. On the user level, the feds encourage users to constantly scan their systems for viruses and trojans, and keep their scanners up-to-date. Since Windows systems are the main targets, Microsoft has also joined the fight against botnets by adding heuristics to their Malicious Software Removal Tool, with specific focus on a flooding tool called Coreflood.
Coreflood is a particularly harmful type of malicious software that records keystrokes and private communications on a computer. Once a computer is infected with Coreflood, it can be controlled remotely from another computer, known as a command and control (C & C) server. A computer infected by Coreflood and subject to remote control is referred to as a “bot,” short for “robot.” According to information contained in court filings, the group of all computers infected with Coreflood is known as the Coreflood botnet, which is believed to have been operating for nearly a decade and to have infected more than two million computers worldwide.
Coreflood steals usernames, passwords and other private personal and financial information allegedly used by the defendants for a variety of criminal purposes, including stealing funds from the compromised accounts. In one example described in court filings, through the illegal monitoring of Internet communications between the user and the user’s bank, Coreflood was used to take over an online banking session and caused the fraudulent transfer of funds to a foreign account.
On the government level, they have replaced 5 recently seized Command and Control centers, with their own hardware to stop to Coreflood application from running on users’ systems, rather than have it run if it were under control by the criminals. The courts have granted a Temporary Restraining Order, allowing the feds to shut down the trojan application on infected computers and allowing anti-virus/trojan service providers the time to create updates to remove the software completely from the system. Since using the botnet to introduce new software or updates to user systems is still deemed illegal and unethical, this seems to be the only legit approach so far by the government (according to American standards at least).
They will also be using their substitute Command and Control centers to detect and track the IP addresses of computers running the software, and pass it on to the ISPs, so they could spread the word to end-users about cleaning up their systems.
Clearly the fight does not stop at the Coreflood level because hackers and spammers are always creating the next big bad thing, so the US government is focusing on getting end-users to be more aware of the threats they face daily, and urge them to keep their security tools up-to-date. The operation is still relatively passive when compared to other campaigns carried out in Europe where government officials pushed their own software onto infected machines to remove the botnet software altogether.