Coreflood Botnet An Attractive Target For Takedown For Many Reasons

Old-school botnet provided an opportunity for a successful takeover in unprecedented operation by the DOJ, FBI

The Justice Department and FBI's operation to derail the 7-year-old Coreflood botnet set a precedent for how these criminal networks will be targeted by law enforcement, and the relatively old-school botnet's architecture made the feds' method of takedown especially attainable.

Officials from the DOJ yesterday announced that they were able to step between the botnet's servers and 2 million infected machines, or bots, by issuing "stop" commands to the bots calling home to the five command-and-control servers they seized that send instructions to the infected machines. In the most aggressive move by U.S. law enforcement ever to kill a botnet, the takedown effort came via some serious legal firepower, including a civil complaint, criminal seizure warrants, and a temporary restraining order.

The civil suit was filed by the U.S. Attorney's Office for the District of Connecticut against 13 "John Doe" defendants who allegedly engaged in wire fraud, bank fraud, and illegal interception of electronic communications with Coreflood. Coreflood experts say the botnet's two to three masterminds are included among the John Does. The feds also seized and took over 29 domain names used by the botnet, and used the temporary restraining order to cut the bots off from the botnet.

The DOJ worked with the Internet Systems Consortium (ISC), which set up its own decoy servers running a copy of the botnet source code obtained by researchers. "They wrote a version of the command-and-control software that sends nothing but the 'stop' command," says Don Jackson, a senior researcher with Dell SecureWorks' Counter Threat Unit and whose organization has studied the Russia-based Coreflood botnet for years and lent a hand in the DOJ case. So when the bots tried to reach out to the Coreflood C&S server for instructions, the commandeered servers intercepted the communications.

What made Coreflood such an attractive target for the feds was its relative size and simple architecture, as well as the fact that its servers were based in the U.S. Coreflood was a relatively small operation run by a single group. "It was fortunate in the way it uses domain names and is not state-of-the-art and as robust as other botnets. [That] certainly helped a lot ... They could use this as an opportunity for the first time to issue commands to a botnet," Jackson says.

Gunter Ollmann, vice president of research for Damballa, also feels this old-school botnet made it easier to intercept. "[Coreflood] doesn't possess many of the 'security features' present in more modern crimeware packages-- therefore there are no hurdles in this case in issuing unsigned commands to the botnet victims," Ollmann said in a blog post today. "A lot of the more popular Botnet construction kits today come with robust command signing and authentication systems to prevent rogue CnC servers (and competitor cybercriminals) issuing unauthorized commands to the botnet owner’s hoard of money-making zombies."

Just because Coreflood wasn't state-of-the art doesn't mean the feds can't expand on its newfound strategy with more technically sophisticated botnets, he says. "While the specific technique used against the Coreflood botnet may only apply to the older botnets, there are other techniques available to tackle more modern or sophisticated botnets," Ollmann says.

The feds stopped short of having the servers instruct the Coreflood bots to delete the bot code. "There was a conscious decision not to send a 'delete yourself' command," Dell SecureWorks' Jackson says. The risk was a self-deleting bot inadvertently causing a blue screen of death or other problems, he says.

And federal officials took great pains to clarify that people whose computers are Coreflood-infected can opt out from the temporary restraining order set up to stop the botnet, and that law enforcement would not access any information stored on their machines.

Cleanup is being spearheaded by Microsoft, which has added Coreflood -- a.k.a. Win21/Afcore -- detection to its Malicious Software Removal Tool (MSRT). The Microsoft Security Essentials anti-malware tool also detects the malware. ISPs also have lists of infected IP addresses so they can alert infected end users.

Coreflood has been well-known among the security researcher community for years. Joe Stewart, a botnet expert at Dell SecureWorks, in 2008 identified enhancements to the botnet that allowed it to spread like a worm and quietly steal hundreds of thousands of credentials from corporate users and other large organizations. The botnet was known for stealing money from compromised bank accounts.

Dell SecureWorks' Jackson says he and colleague Ben Feinstein in January of this year approached DoD officials at a conference in Atlanta about going after the relatively small botnet operation. "It was hitting inside companies," Jackson says, and had been around for nearly 10 years, so its derailment was long overdue.

But experts say there's no guarantee that Coreflood's operators ultimately will pay for their crimes -- they could potentially walk and then reinvent their operation with another botnet. "I am holding out hope. It would be unprecedented if they did" pay for their crimes, Dell SecureWorks' Jackson says. "This is unprecedented politically and with the cooperation between private and public" entities, he says. The challenge, however, will be how the Russian authorities handle the case.

"Coreflood has been around for so long, there have doubtless been organizational changes along the way, and the business model for this kind of crime is evolving constantly. That is why it is so crucial that law enforcement move quickly -- much more quickly than we have. That requires training and resources, and we need these things now," says Nick Selby, a cybercrime consultant and police officer who co-founded the Police Led Intelligence blog and podcast.

Meanwhile, the DOJ said the takedown doesn't eradicate Coreflood's malware or iterations of it, noting that another botnet could be erected using different versions of the malware or other malware.

Overall, security experts applauded the cooperative effort in the Coreflood case.

"There is clearly strong public and private momentum in the fight against botnets, and the Microsoft Digital Crimes Unit was happy to provide technical information from the lessons we learned from the recent Rustock and Waledac botnet takedowns to assist these agencies in their operation," said Richard Boscovich, senior attorney for Microsoft's Digital Crimes Unit.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights