Feds Take 'Coreflood Botnet': 'Zombie' Army May Have Infected 2 Million Computers, Stolen Hundreds of Millions of Dollars
Coreflood crime ring believed to infect 2 million computers, steal millions.
WASHINGTON, April 13, 2011 -- The FBI and the Justice Department say they have disabled a "botnet" of more than two million computers infected with malicious code that Eastern European cyber criminals may have used to drain millions of dollars from bank accounts around the world.
The victims include a Tennessee defense contractor that had $241,000 stolen from a bank account, a Michigan real estate company that lost more than $115,000, a South Carolina law firm had $78,000 taken from accounts and a North Carolina investment firm that lost $151,000 from fraudulent wire transfers, according to court documents.
U.S. authorities continue to combat the network of remotely controlled computers called the "Coreflood" botnet, which has secretly recorded computer users' keystrokes to compromise vast amounts of banking and financial data.
Botnets are armies of so-called "zombie" computers, often ordinary people's machines, that have been hijacked by hackers and ordered to vacuum up private information from bank accounts, credit card data, email services and social media sites.
Coreflood is believed to have been operating since 2002 and has resulted in an unknown number of U.S. bank accounts being broken into with losses that could be in the hundreds of millions of dollars, according to FBI officials.
The Justice Department and FBI filed a civil complaint against 13 "John Doe" defendants, charging them with wire fraud, bank fraud and illegal interception of electronic communications. Investigators will seek to identify the "John Does" as the investigation continues.
The FBI and Justice Department also have executed search warrants to seize Internet domain names believed tied to be the control servers for the Coreflood program.
'Full Extent of the Financial Loss ... Is Not Known'
The botnet has stolen vast amounts of funds from bank accounts in the United States, FBI officials said, and could have stolen hundreds of millions of dollars worldwide.
"The full extent of the financial loss caused by the Coreflood botnet is not known, due in part to the large number of infected computers and the quantity of stolen data," read a civil complaint filed in U.S. Federal District Court in Connecticut.
"As of in or about February 2010, there were approximately 2,336,542 infected computers that were, or had been, part of the Coreflood botnet," the complaint said. "Approximately 1,853,005 of the infected computers appear to have been located in the United States, with the remainder located in countries around the world."
First Time U.S. Authorities Asked Permission 'to Control a Seized Botnet'
Investigators received a temporary restraining order from the district court allowing them to seize control of the infected computer servers to try to further dismantle and disable the Coreflood botnet.
In its request to the court, the Justice Department wrote, "This is the first case in which United States law enforcement authorities have requested authorization to control a seized botnet using a substitute command and control server. A similar approach was taken by Dutch law enforcement authorities against the 'Bredolab' botnet, in which 'good' software developed by Dutch authorities was downloaded and executed on infected computers around the world as a means of victim notification."
According to Justice Department officials, the server that will seek to counter Coreflood will be run by the Internet Systems Consortium, a non-profit group that works on Internet infrastructure and security issues.
"These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure," Shawn Henry, the FBI's executive assistant director of the bureau's Criminal, Cyber, Response and Services Branch, said in a prepared statement.
How to Clean Your Computer
FBI officials say that Coreflood program still will be present on victims' computers, but those victims can take action to remove the malicious software through proper security measures.
In a press release today DOJ noted, "The public may go to the following sites operated by U.S. Computer Emergency Readiness Team (CERT) and the Federal Trade Commission, respectively: us-cert.gov/nav/nt01 and onguardonline.gov/topics/malware.aspx."
Microsoft also has developed malicious software removal tools to remove botnets including Coreflood.
"In coordination with the FBI, the Microsoft Malware Protection Center has added Win32/Afcore (Coreflood) malware detection in our Malicious Software Removal Tool to help minimize the malware's future impact," said Richard Boscovich, senior attorney for the Microsoft Digital Crimes Unit. "Please see the MMPC blog for more technical information about the Win32/Afcore malware."
Coreflood Botnet Believed Based in Russia
Although FBI officials declined to say where the Coreflood botnet originated, previous media reports and cyber-security experts have traced it to cyber criminal gangs in Russia.
Researchers at Dell SecureWorks claim they were the first to trace Coreflood to a computer crime ring from Russia.
Testifying before the Senate Judiciary Committee on Tuesday, Gordon Snow, the assistant director of the FBI's Cyber Division, spelled out how Russia and Eastern Europe were a hot-bed of computer crime.
"On the criminal side, a majority of the attacks [are] coming from the individuals that are located in Russia, obviously different from the Russian state, and Eastern European countries," Snow said. "We see a very strong network of a cyber underground very closely associated, with almost an eBay or an Amazon-type system. ... Once you receive a service from one of these cyber criminals ... [they are] are able to just combine together in chat rooms in this cyber underground ... [and] allowed to buy different pieces that they need to carry out the attack."
In 2009, the FBI established a working group called the Botnet Threat Focus Cell that works with other law enforcement and private computer security experts. The cell was designed to deal with new avenues of cybercrime in which hackers have used botnets to take over hundreds to millions of computers.
The Botnet Threat Focus Cell worked on the Coreflood case and recently worked on the "King of Spam" case, in which a Russian man sent more than a 1 billion spam messages, and the "Mariposa" botnet, which infected more than 12.7 million computers, including half of the companies in the Fortune 1,000 list.
Last month, Microsoft took matters into its own hands and sought a federal court order to seize computer servers that were hosting a botnet dubbed "Rustock." The company has set up its own digital crime unit to combat computer crimes and claims to have given technical help to federal investigators.
"There is clearly a strong public/private momentum happening in the fight against botnets and the Microsoft Digital Crimes Unit was happy to provide technical information from the lessons we learned from the recent Rustock and Waledac botnet takedowns to assist these agencies in their operation," Boscovich said.
Microsoft estimated that Rustock infected about 1 million computers and, at times, was capable of sending 30 billion spam email messages a day.
According to a posting on Microsoft's blog in March, "DCU [Microsoft's Digital Crimes Unit] researchers watched a single Rustock-infected computer send 7,500 spam emails in just 45 minutes -- a rate of 240,000 spam mails per day."