FBI To Disable Coreflood Malware on Private PCs

Federal officials will act against Coreflood malware by sending commands that cause the botnet to remove itself, using the same network the perpetrators used to spread and update Coreflood.

Federal officials have obtained an approved order by a U.S. District Judge that allows them to contact those in the U.S. with systems infected with Coreflood malware and remotely remove the botnet from their machines after written consent is given by the user.

The joint action between the FBI and the Department of Justice is the latest step to take down the international Coreflood botnet ring, which has operated for over a decade to penetrate systems with its software and commit crimes such as identity theft.

During the initial seizure of the U.S.-based Command and Control servers two weeks ago, the federal government said it redirected traffic intended for these servers to a protected server that sent a signal to terminate the botnet process. This has led to Coreflood operations to drop to close to 10 percent of what it was before the federal raid.

After written consent is given by the user, federal officials will act against the malware by sending commands that causes the botnet to remove itself, using the same network the perpetrators used to spread and update Coreflood.

According to Paul Ducklin, head of technology in Asia Pacific for the security firm Sophos, this puts the feds in a unique situation: "What made this [initial and recent] court order a first in the U.S. is that it gave law enforcement permission to interfere directly with computers belonging to users who weren't being investigated, or charged with any crime," he wrote in a blog posting.

A serious concern about the method of removal is that the written consent doesn't come with assurance that unforeseen consequences may occur during the process.

"While the 'uninstall' command has been tested by the FBI and appears to work, it is nevertheless possible that the execution of the 'uninstall' command may produce unanticipated consequences, including damage to the infected computers," reads the authorization consent form.

Ducklin also expressed his doubt about this very issue. "What if the crooks have deliberately rewired the 'stop' command to carry out a 'format hard drive' operation instead?"

A safer option for those who still have the dormant botnet on their system could be to use the out-of-band Malicious Software Removal Tool (MSRT) update by Microsoft, released Tuesday.

The update improves the detection process of the specific malware and aids in the safe removal from systems. While updates like these are usually reserved for the first Tuesday of the month, Microsoft will release periodical updates if deemed necessary.

"We can, and will, release MSRT as needed to support takedown activities or other times when the impact will be potentially significant," wrote Jeff Williams, principal group program manager for Microsoft Malware Protection Center, in a blog post.

About the Author

Chris Paoli is the site producer for and

comments powered by Disqus

Reader Comments:

Fri, Apr 29, 2011 Thomas

After reading the part where you suggest people with infected zombie-bot computers should run Windows Update and install the MSRT, I seriously laughed and choked on a donut. The "shadow internet" (machines that have been compromised by poor or lacking oversight by their owners), is estimated to be roughly 100 times as big as the entire visible World Wide Web. There are countless millions of machines out there, many likely purchased at the local Best Buy 5 years ago, left running and connected to the wire for no reason (wasting energy), never getting an AV or firewall installed (or the owner simply got cheap and decided not to update the subscription). Could the FBI get all sneaky and malicious accessing these machines? Of course. But they could access those machines and many others with perfectly healthy AV and firewalls, right now, if they wanted to. So rather than worry about something that either we cannot prevent, or which is highly unlikely to happen, we really should look at this from another perspective: We're all networked today. If someone fails to maintain a clean computer, and risks exposing the rest of us to some malicious code or exploitation, I'd love for ANYONE (whether it's the FBI or some private superhero entity) to go so far as to prevent those machines from any outbound traffic until and unless it is patched. It's the same difference to me between two people, who both have vicious dogs. One person keeps the dog inside their house, where it can't get out. The other lets it run away, anywhere it wants. No, I wouldn't expect authorities to enter the first house without a warrant, because the situation is not harmful to anyone. But in the second case, the owner is no longer in control of the dog. Even though the dog physically is owned by that person, living in that house, the dog is running wild. I'd give anyone permission to kill it, before anyone gets hurt. And if you think bots can't hurt (or maybe even kill) people, then you're ignorant.

Add Your Comment:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above