Jeff Bardin chief security strategist, Treadstone 71
The FBI shutdown of Coreflood was the right move. They took risks in shutting down the botnet. They did touch personal computers of U.S. citizens. But there are exigent circumstances that must be considered. There was an imminent and serious threat to property. According to authorities, a company in Tennesseee lost $241,866 to Coreflood, and another in Michigan lost $115,770. Since February 2010, 2.33 million computers were infected by Coreflood – 1.85 million of which were located in the United States. There also was the imminent escape of suspects. Any overt communication of FBI counterintelligence-counterespionage activities would have tipped off the perpetrators. There was the imminent destruction of evidence. Cyber defenses stand in the ring bobbing and weaving trying to avoid the punches of not one cybercriminal but multiple. It is about time we exhibited active offensive cyber operations. Cybercriminals are not equipped to handle counter activities. It is not cost effective.
Chris Palmer technology director, Electronic Frontier Foundation
Everyone wants to get rid of botnets. The question is how – in a way that inflicts the least collateral damage to innocent networks. There also is a jurisdictional problem as botnets are global. The Internet Systems Consortium/FBI/Department of Justice action against Coreflood, while apparently effective, does not meet a basic standard of safety. For a state to disable command-and-control servers in its own jurisdiction is an excellent idea, as it is for Microsoft to remove the malware with an update or a new feature of its Malicious Software Removal Tool. But to execute attacker code as part of the action is foolhardy at best. Coreflood might do anything in response to the “stop” command – especially since it was updated the day before the action began. The safest path is to remove malware by legal and out-of-band means: Notify the system owners, unplug the network cable and get an operating system update. Invoking attacker code on somebody else's computer is never sane.