Malware, Network Security

Coreflood-style takedowns may lead to trouble

News this week that the U.S. Department of Justice and FBI teamed up to dismantle the unrelenting Coreflood botnet resulted in universal cheers from the security community.

But the rare tactic authorities used to pull the plug on Coreflood -- sending commands to infected computers telling them to cease communication with command-and-control (C&C) servers -- prompted some IT experts to wonder whether the federal government may have crossed the line.

"Everyone wants botnets to go away, so I'm not sad the botnet will be largely taken down," Chris Palmer, technology director of the digital watchdog group Electronic Frontier Foundation, told "The issue is this is not a safe way to go about it, and it's divergent with standard practice. It's very dangerous."

To disrupt Coreflood, a nearly decade-old, keystroke-logging botnet blamed for stealing millions of dollars from victims' bank accounts, federal prosecutors secured a court-issued temporary restraining order (PDF) to replace  its five C&C servers with substitute servers under the U.S. government's control. C&C servers are used to communicate with and send instructions to infected machines.

That substitution, combined with successfully reverse engineering the malware's code, allowed FBI agents to deliver "stop" commands to compromised machines, believed to number 2.3 million.

Typically law enforcement dismantles botnets by taking down C&C servers through partnerships with international authorities and internet service providers. Often, the botnets crumble for a certain period but then rise again when a new C&C hub is created.

However, in this case, agents climbed another rung on the enforcement ladder by directly communicating with infected systems, telling them to stop talking to the control center.

But some say they've gone too far by doing that.

"They're running the bad guy's code in hopes of getting rid of the bad guy's code," said Palmer, a former senior software engineer at Google. "That's just crazy. If nothing horrible comes of this, it will be because of a combination of sheer luck and surprising politeness on behalf of the malware authors."

Palmer said such a method can lead to "collateral damage." For example, had the Coreflood authors caught wind of the FBI sting, they may have adjusted the trojan to respond to the stop commands in a different way, such as deleting sensitive data from the machines.

But Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, who regularly interacts with government cybercrime fighters, said he doubts such a scenario would play out.

"It could be valid if the people working this case were clueless," Warner wrote in an email to, "but they are not and had deep industry review before considering this action. It's a thoroughly tested procedure. If it did harm, they wouldn't have done it."

According to court documents filed April 12 in federal court in Connecticut, the stop commands -- delivered each time the Coreflood-infected computer reboots -- will not cause any damage or allow the U.S. government the ability to view or copy any contents on a victim's machine.

Meanwhile, HD Moore, founder of the open-source Metasploit hacking toolkit and the CSO of vulnerability management company Rapid 7, said he is less worried about the impact this operation may cause and more concerned about the precedent that it sets.

"What's scary about it is let's say in the future they want to use the same technique," he told "It's getting the FBI involved in an area where they traditionally haven't been involved. What's stopping them from going all the way to the extreme and shutting down political discourse they don't like?"

Once they assumed control of the C&C servers, authorities "could've done anything they wanted to" to the infected machines, said Moore, adding that many of the computers receiving commands are located outside of the United States.

Warner, however, said this was an exceptional case that had to demonstrate enough burden of proof to convince a judge to issue a temporary restraining order.

"They haven't intruded on the machine," Warner said. "They haven't done anything but tell the software to stop running itself...This is a good thing. Coreflood was regularly draining people's bank accounts since 2004."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.