News

Feds To Remove Coreflood Botnet from Some Infected Systems

In the next step in the joint action between the FBI and the Department of Justice to take down the international Coreflood botnet ring, federal authorities will begin contacting some infected users to manually remove the botnet software.

During the initial seizure of the U.S.-based Command and Control servers two weeks ago, the federal government said it redirected traffic intended for these servers to a protected server that sent a signal to terminate the botnet process. This has led to Coreflood operations to drop to close to 10 percent of what it was before the federal raid.

Officials are following up on that action and have obtained an approved order by a U.S. District Judge to allow government officials to contact those in the U.S. with infected systems and remotely remove the Coreflood botnet from their machines after written consent is given by the user. Federal officials will then act against the malware by sending commands that causes the botnet to remove itself, using the same network the perpetrators used to spread and update Coreflood.

According to Paul Ducklin, head of technology in Asia Pacific for the security firm Sophos, this puts the feds in a unique situation: "What made this [initial and recent] court order a first in the U.S. is that it gave law enforcement permission to interfere directly with computers belonging to users who weren't being investigated, or charged with any crime," he wrote in a blog posting.

A serious concern about the method of removal is that the written consent doesn't come with assurance that unforeseen consequences may occur during the process.

"While the 'uninstall' command has been tested by the FBI and appears to work, it is nevertheless possible that the execution of the 'uninstall' command may produce unanticipated consequences, including damage to the infected computers," reads the authorization consent form.

Ducklin also expressed his doubt about this very issue. "What if the crooks have deliberately rewired the 'stop' command to carry out a 'format hard drive' operation instead?"

A safer option for those who still have the dormant botnet on their system could be to use the out-of-band Malicious Software Removal Tool (MSRT) update by Microsoft, released Tuesday.

The update improves the detection process of the specific malware and aids in the safe removal from systems. While updates like these are usually reserved for the first Tuesday of the month, Microsoft will release periodical updates if deemed necessary.

"We can, and will, release MSRT as needed to support takedown activities or other times when the impact will be potentially significant," wrote Jeff Williams, principal group program manager for Microsoft Malware Protection Center, in a blog post.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

Featured

  • OneDrive Users To Get Storage Options, Plus New Personal Vault

    Microsoft announced a few OneDrive enhancements, including storage-option additions, plus a new "Personal Vault" feature for added security assurance.

  • Cloud Services Starting To Overtake On-Prem Database Management Systems

    Database management system (DBMS) growth is happening more on the cloud services side than on the traditional "on-premises" side, according to a report by Gartner Inc.

  • How To Replace an Aging Domain Controller

    If the hardware behind your domain controllers has become outdated, here's a step-by-step guide to performing a hardware refresh.

  • Azure Backup for SQL Server 2008 Available at Preview Stage

    Microsoft added the option of using the Azure Backup service to provide recovery support for SQL Server 2008 and SQL Server 2008 R2 when those workloads are hosted on Azure virtual machines.

comments powered by Disqus

Office 365 Watch

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.