Rustock and Coreflood: a call to arms for strategic offensive action
David LaMacchia, principal developer, Cloudmark
Temporary restraining orders (TROs) gave U.S. marshals the authority to raid colocation facilities in the United States, seize C&C hardware and reroute traffic to their own machines.
Both were complex technical achievements combined with legal complaints based on existing legislation.
Both TROs, which were confidential and only unsealed after the raids, were obtained through civil, not criminal, litigation. In the case against the Rustock operators, the Lanham Act, which covers trademark law, and the CAN-SPAM Act were used to provide federal jurisdiction for discovery.
Prior to this incident, trademark law has never before been used to disable a botnet. The Lanham Act allowed Microsoft to seize “goods and counterfeit marks involved… and the means of making such marks, and records documenting the manufacture, sale, or receipt of things involved…”
The Coreflood complaint cited sections in Title 18, covering wire fraud, bank fraud and unauthorized interception of electronic communications. Both suits enabled federal involvement through TROs, which led to the seizure of C&C hardware and demonstrate sophistication on the part of the plaintiffs against unknown defendants.
Both botnets were the target of coordinated strategic offensive action between corporations and government agencies. Both botnets had the majority of their C&C machines hosted in the United States and thus were subject to the Lanham Act and other federal laws.
Because U.S. bots with reliable internet connections are valuable to spammers. They are more expensive to rent than those located elsewhere. Furthermore, U.S. bots that make routine connections to C&C hosts with U.S. IP addresses, as well as the U.S.-based C&C hosts themselves, are less likely to look suspicious and therefore are appealing.
In the Coreflood takedown, the government went beyond just disabling the botnet. It actually took C&C hosts offline, registered and held their domains, and sent the botnet to a sinkhole. The government was prepared to clean up the infected hosts. Through the use of a “stop” signal, sent remotely, botnet activity can be halted with a victim's consent and an “uninstall” command can wipe out Coreflood entirely.
This marks the first time the U.S. government has remotely modified an infected computer, at least publicly.
Some members of the security community wonder how the U.S. Department of Justice (DOJ) could do this without violating the Computer Fraud and Abuse Act, which criminalizes accessing a computer without authorization.
Though victims will be contacted by their ISPs and allowed to “opt out” -- not to mention shutting down a botnet is laudable -- this sets a potentially dangerous precedent by allowing the DOJ to alter an individual's computer as part of an allegation of wrongdoing to which the individual is not a willing participant.
Government sanctioned counter botnet tactics have not been taken before in the United States. They may set a precedent for aggressive access of personal computers, such as when Dutch and Armenian authorities disabled the Bredolab botnet without consent by counter-infecting computers with a “good” bot to disable the malicious one.
Back to Rustock. Why is this case noteworthy?
It is a shining example of how a coordinated strategic offensive action between multiindustry victims can be successful, but it also shows that additional cyber-specific laws are not needed for an action to be successful.
Coordinated strategic offensive actions empower service provider and trademark holder victims by leveraging existing laws.
In the days before CAN-SPAM, long-standing tort laws, such as “trespass to chattels,” were used to successfully pursue spammers and are still being used today. Federal laws such as CAN-SPAM and the Computer Fraud and Abuse Act empowers entities filing civil actions by granting them the ability to issue subpoenas across jurisdictions.
This cross-jurisdictional benefit allows victims to move more quickly to collect information on internet data points, which may expire or be altered. In addition, information acquired during discovery can be used to create a more effective criminal referral. If a TRO is not filed and the case is not under seal, in many instances the subpoenaed entity will give notice to their affected client. If the affected client is a cybercriminal, he may attempt to destroy evidence and cover his tracks.
By using the “freeze and seize” provisions provided by trademark laws, aggrieved entities can stop the cybercriminal in his tracks by taking down key servers in his infrastructure, freezing financial accounts, and disabling his cybercrime supporting services.
David LaMacchia is principal developer at Cloudmark and Jamie Tomasello is the company's director of security operations.