Coreflood Takedown by the FBI

Abstract
Coreflood was a computer worm (botnet) that thrived for more than a decade and had over 2,000,000 clients. Most of these were in the United States. This paper discusses the Coreflood bot-net, its’ takedown by the Federal Bureau of Investigations and the Department of Justice, privacy and security issues surrounding the takedown and were their actions warranted?

Coreflood Takedown by the FBI Coreflood was a small piece of malware that had been active for more than 10 years. The computers that were infected with Coreflood could perform actions that the user would not have been aware of such as: send out spam and malware, record user keystrokes to get account information and passwords and coordinated website attacks (Piklorski, 2011). Coreflood was a systematic capture and drain scheme used to wire transfer money from your account to their account. Attorneys, contractors, small business owners and individuals, were all victims of these thieves (shogan, 2011).
As of February 2010, there were approximately 2,336,542 computers that were currently or had been infected by the Coreflood botnet with and turned into network sleeper agents to gather information (Piklorski, 2011). Although about 80% of these were in the United States, there were also some located in other countries. Due to this criminal success and American citizen devastation effects of Coreflood, the Federal Bureau of Investigation (FBI) started an effort to take down Coreflood, known internally as Operation Adeona (Dvorak, 2011).
There were sporadic reports that the Secret Service had found evidence of Coreflood prior to 2004 when a suit was filed by a Miami man. He stated that they knew that Coreflood was on his computer and he was not notified. Subsequently, he lost $90,000 to fraudulent wire transfers to Parex Bank in Latvia (Vamosi, 2008).
Criminals, using Coreflood, managed to successfully steal an estimated $100M USD worldwide from businesses and individuals via fraudulent wire transfers. A real estate company in Michigan lost $115,771 USD, a South Carolina law firm lost $78,421 USD, and a Tennessee defense contractor lost $241,866 USD (Mick, 2011). In another case, an investment company in North Carolina lost more than $150,000 USD in fraudulent wire transfers (Zetter, 2011).
Using lessons that were learned by federal agents that raided a hosting service and seizing computers that were spreading the Rustock spammer botnet, information was gathered about the Coreflood payload and a reverse engineering effort was underway. A plan was developed by the FBI to deploy a way to view network traffic of the command and control servers (Mick, 2011). During their investigation, the DOJ was given permission by a federal judge to seize five Command and Control (C&C) servers that remotely controlled hundreds of thousands of infected computers and twenty-nine domain names that were associated with Coreflood and to replace those servers with their own servers. On April 12, 2011 at midnight, authorities took control of the five command and control servers, federal DNS servers were initialized and 29 domain names used by the Coreflood botnet to communicate with these command and control servers. These actions effectively disabled the enormous network of compromised machines (DoJ, FBI disable massive Coreflood botnet, 2011). The network traffic was redirected from the Coreflood servers to the replacement servers that were run by the nonprofit Internet Systems Consortium (ISC). When an infected computer connected to the replacements, the reverse engineering of the virus instructed the infected machines to stop sending stolen data and shut down (Ducklin, 2011).
On April 13, 2011, the Department of Justice (DOJ) and FBI announced the filing of a civil complaint, the execution of criminal seizure warrants, and the issuance of a temporary restraining order (TRO) against 13 John Does believed to be running the botnet from Russia. This was all part of the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet (Affairs, 2011).
The Coreflood botnet was one of the largest and most longstanding networks of its type. It is believed to be diminishing in size due to Coreflood not being able to update itself on infected computers and anti-virus vendors are no longer faced with a moving target. The anti-virus vendors have had time to develop and release virus signatures capable of detecting the latest versions of Coreflood. Victims of Coreflood are also now notified that their computer is infected and can disconnect the computer or take other measures to remediate Coreflood (Connecticut, 2011). Despite the network shutdown, the malicious software used to infect PCs, although much weaker, still remains in the internet.
Although the FBI did a great job with gathering information, understanding the targets, and getting others in government to understand what needed to be done, everyone did not agree with their ability to do so. Operation Adeona was considered precedent-setting and a success by taking down a very lethal botnet from its grip on American computers and information; it immediately was faced with controversy. The idea of a government agency having the authority to remotely run a piece of ‘unauthorized’ code on personal computers did not set well some individuals, security personnel and organizations like the Electronic Frontier Foundation (EFF) (Piklorski, 2011).
The technology director for EFF and a former employee of Google, Chris Palmer, said: “Even if we could absolutely be sure that all of the infected Coreflood botnet machines were running the exact code that we reverse-engineered and convinced ourselves that we understood, this would still be an extremely sketchy action to take. Its other people’s computers and you don’t know what’s going to happen for sure. You might blow up some important machine” (Piklorski, 2011).
The Chief Security Officer and creator of Metasploit, HD Moore said: “The DOJ authorized the FBI to not only take over the Command and Control servers of the botnet, something they do frequently today, but to also send the ‘shutdown’ command to any infected client connecting to these servers. This action was benign and itself is not controversial. What is controversial is how jurisdiction rules apply to systems that are connected to a FBI operated Command and Control server. The infected systems included computers owned by US citizens who had no knowledge of the operation, in additional to systems outside the United States” (Ragan, 2011).
There are those that just see this as ‘hacking’ and the government gathering intelligence on its citizens. There are also those that believe that the government should never be able to access anyone’s personal computer without their knowledge. On the other side, there are those that applaud what the FBI did with the Coreflood botnet.
The fear of the power of the government and human preservation of our ‘Liberties’ requires constant vigilance on our part. Everyone has the right to do so. The question is did the Coreflood botnet need to be taken down for the economic health of the United States businesses and its citizens? Did the FBI do enough to get the proper authority to do what they did? William Murray says to those on both sides, Public Safety, like information security, often involves difficult ethical choices, the lesser of the evils. Sometimes this will even involve the use of coercion or force. Our government is the only institution within our society that is empowered to use force (Murray, 2011).
In this instance the government did not act unilaterally; the FBI did get a court order. The FBI handling this takedown are not vigilantes. Furthermore, if they can be entrusted to use force in other situations, they can and should be entrusted to act in the Internet in ways that are forbidden to the ordinary citizen. This law action does not does not give the citizen license to do the same thing (Murray, 2011).
There are members of the security community that believes that the DOJ could not takedown the Coreflood in the manner in which they did without violating the Computer Fraud and Abuse Act. This states that remotely accessing a computer a criminal offense. (LaMacchia & Tomasello, 2011).
Coreflood reactivates every time a computer reboots so this is an ongoing effort. There are also those that applaud the FBI efforts. Andrew Fried, a security consultant in Alexandria, VA that runs Deteque, said the action was a long time coming, but he applauded the feds for making it happen. “We finally saw exactly how effective law enforcement and our judicial system can be when they attack problems using strategic rather than political methods” (Krebs, 2011).
Security and virus vendors such as Norton and McAfee also applaud the DOJ and FBI for taking aggressive actions against the Coreflood bot with a history of malicious cyber activities. Dave Marcus from McAfee Labs said: "We commend and support the actions resulting in the takedown of the Coreflood botnet and the cybercriminals that run it. This is the type of action that needs to happen to make the Internet a safer place" (Palmer, 2011) (Piklorski, 2011).
There are pros and cons for both sides of this issue. Jose Nazario, Senior Manager of Security Research at Arbor Networks stated: "It's certainly a topic that's been kicked around in the community for a long time and more people have looked at the ethics of it lately, which is good. I imagine this is being looked at very closely by people at Justice and elsewhere. They did their homework and they got lucky this time. I'm not aware of any great consensus around this topic. This kind of thing isn't well understood yet, I don't think. There's going to be a range of what's responsible and ethical to do. And I think it will be fueled by outcomes. If there are some great tragedies and someone went to uninstall a bot and blew away thousands of PCs somehow, it's a different story. That possibility is always there” (Fisher, 2011).
The judge that granted the restraining order to takedown or hijack the Coreflood systems, U.S. District Judge Vanessa Bryant wrote: “Allowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and an increased risk of further computer intrusions” (Eddy, 2011).
The takedown of Coreflood in April 2011 will be analyzed from every angle and will be looked at carefully if and when this situation comes up again, and it will. There will always be people on both sides of the issue when dealing with its’ citizens private information and the power of our government. In today’s internet, there will always be criminals that try to take advantage and always be those trying to stop them.

References
DoJ, FBI disable massive Coreflood botnet. (2011, April 14). Retrieved from zimbio: http://www.zimbio.com/Spyware/articles/ZIoPW-PjiV1/DoJ+FBI+disable+massive+Coreflood+botnet
SANS NewsBites - Volume: XIII, Issue: 30. (2011, April 15). Retrieved from SANS : http://www.sans.org/newsletters/newsbites/newsbites.php?vol=13&issue=30#sID200
Affairs. (2011, April 13). Department of Justice Takes Action to Disable International Botnet. Retrieved from The United States Department of Justice: http://www.justice.gov/opa/pr/2011/April/11-crm-466.html
Connecticut, U. D.-D. (2011, April 23). Coreflood Botnet: Prelminary Injunction. Retrieved from The United States Department of Justice: www.justice.gov/opa/documents/coreflood-govt-supp.pdf
Ducklin, P. (2011, April 28). FBI takes on Coreflood botnet - but is this a step too far? Retrieved from Sophos nakedsecurity: http://nakedsecurity.sophos.com/2011/04/28/fbi-takes-on-coreflood-botnet-step-too-far/
Dvorak, J. C. (2011, June 1). Spyware, the FBI, and The Failure of ISPs. Retrieved from PCMag: http://www.pcmag.com/article2/0,2817,2385959,00.asp
Eddy, M. (2011, April 14). FBI Hijacks, Remotely Disables “Coreflood” Botnet. Retrieved from Geek System: http://www.geekosystem.com/fbi-coreflood-takedown/
Fisher, D. (2011, April 29). Coreflood Takedown Raises Questions About Offensive Actions Against Botnets. Retrieved from threatpost: http://threatpost.com/en_us/blogs/coreflood-takedown-raises-questions-about-offensive-actions-against-botnets-042911
Krebs, B. (2011, April). Krebs on Security. Retrieved from U.S. Government Takes Down Coreflood Botnet: http://krebsonsecurity.com/2011/04/u-s-government-takes-down-coreflood-botnet/
LaMacchia, D., & Tomasello, J. (2011, May 19). Rustock and Coreflood: a call to arms for strategic offensive action. Retrieved from SC Magazine: http://www.scmagazine.com/rustock-and-coreflood-a-call-to-arms-for-strategic-offensive-action/article/203204/
Mick, J. (2011, April 14). Ten-Year-Old, 2 Million PC Botnet Finally Killed; Stole up to $100M USD. Retrieved from Daily Tech: http://www.dailytech.com/TenYearOld+2+Million+PC+Botnet+Finally+Killed+Stole+up+to+100M+USD/article21378.htm
Murray, W. H. (2011, April 26). FBI Take-down of Coreflood Bot-net . Retrieved from Thinking About Security: http://whmurray.blogspot.com/search?q=coreflood
Palmer, A. (2011, April 22). Cybercrime Frontline Blog. Retrieved from Norton by Symantec: http://community.norton.com/t5/Cybercrime-Frontline-Blog/A-Battle-is-Won/ba-p/436044
Piklorski, C. (2011, April 18). FBI Hijacks Botnet, Drives it Off the Cliff. Retrieved from Technorati: http://technorati.com/technology/it/article/fbi-hijacks-botnet-drives-it-off/
Ragan, S. (2011, April 16). Coreflood: Botnet takedown introduces a potentially risky precedent. Retrieved from The Tech Herald: http://www.thetechherald.com/articles/Coreflood-Botnet-takedown-introduces-a-potentially-risky-precedent shogan. (2011, April 19). Department of Justice and FBI Take Down Huge Coreflood Botnet. Retrieved from PC Pitstop: http://techtalk.pcpitstop.com/2011/04/19/department-of-justice-and-fbi-take-down-huge-coreflood-botnet/
Vamosi, R. (2008, November 7). Security expert talks Russian gangs, botnets. Retrieved from CNET: http://news.cnet.com/8301-10789_3-10086352-57.html?part=rss&subj=news&tag=2547-1_3-0-20
Zetter, K. (2011, April 26). FBI vs. Coreflood Botnet: Round 1 Goes to the Feds. Retrieved from Threat Level: http://www.wired.com/threatlevel/2011/04/coreflood_results/