US Busts Up Botnet Called "Coreflood"

Matt Londale is a JD candidate at Dalhousie University.

On April 13, 2011, US authorities seized 29 domain names and 5 computers located in several US states in an attempt to break up a cybercriminal ring believed to have stolen millions of dollars from US residents through the use of malicious software called Coreflood. FBI officials said that the group used a network of computers infected with the software, known as a “botnet”, to steal millions of dollars from US residents.

The group used the software to obtain the financial information of people using the infected computers and then removed money from their bank accounts via wire transfers. One victim in Tennessee lost as much as $242,000. While no arrests have yet been made, the US government filed a civil suit against 13 unknown individuals on April 11, 2011. A court order was requested the next day, asking for permission to take control of the servers controlling the network and use them to remotely disable the malicious software on the infected computers. The order was granted on April 13, with Judge Byrant writing that “[a]llowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and an increased risk of further computer intrusions”.

Following the seizures and the sending of the shutdown commands, the FBI stated that they believe the software has been disabled on a significant portion of the infected computers. The owners of the infected computers were not notified and US officials say that no personal information was retrieved by them during the course of the shutdown. 80% of the infected computers were believed to be within the US. Chris Palmer, Technology Director for the Electronic Frontier Foundation, was uneasy about the idea of government agents issuing commands to millions of civilian computers: “[i]t’s other people’s computers and you don’t know what’s going to happen for sure. You might blow up some important machine.”

While this case marks the first time US authorities have swapped a malicious server for one controlled by them, they have previously exercised their power to seize domains names in crackdowns on illegal gambling, counterfeit goods and digital piracy.