In an unprecedented move, the FBI has seized control of a malicious botnet and remotely disabled the malicious software on infected computers. The botnet in question, called “Coreflood” allows its operators to harvest financial information from over 2 million infected machines for nearly a decade.
The FBI’s attack on the coreflood botnet began Tuesday, after receiving permission from the Department of Justice. In their request to the DOJ, the FBI sought to allow the Internet Systems Consortium to assist in the beheading and hijacking of the coreflood. Wired reports:
According to the filing, ISC, under law enforcement supervision, planned to replace the servers with servers that it controlled, then collect the IP addresses of all infected machines communicating with the criminal servers, and send a remote “stop” command to infected machines to disable the Coreflood malware operating on them.
Interestingly, Coreflood reactivates each time the infected computer reboots, meaning that the FBI must continue to broadcast its kill command. As part of a long-term solution, the FBI is using IP information to inform infected users and Microsoft included an update to its Malicious Software Removal tool to remove Coreflood.
This is the first time that United States law enforcement has not only disabled a botnet, but broadcast information directly to private computers. As an extraordinary act on the part of the FBI, it has some private advocates concerned. Can the FBI guarantee, for instance, that its kill command will affect each individual computer the same and not cause undue damage to the infected machine? Furthermore, the FBI is now hypothetically on the receiving end of personal information being broadcast without user’s consent. They have sworn to delete any such information in their request to the DOJ, but it is a move sure to rankle those with concerns about privacy.
In the end, the decision to hijack Coreflood seems to come down to this statement from U.S. District Judge Vanessa Byrant, as quoted by Wired:
“Allowing Coreflood to continue running on the infected computers will cause a continuing and substantial injury to the owners and users of the infected computers, exposing them to a loss of privacy and an increased risk of further computer intrusions.”
In that respect, the Coreflood takedown operation is similar to police firing at an armed gunman. It is dangerous, and law enforcement bears some risk in doing so, but in doing so more people will be protected.