FBI, DOJ Take Down Coreflood Botnet

The FBI and the U.S. Department of Justice have taken a page from the tech industry and filed a civil complaint to takedown a notorious botnet called Coreflood.

Authorities announced the filing of the complaint as part of a comprehensive effort against the Coreflood botnet, a massive botnet behind a bank malware operation. No arrests were made. Instead the U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 ’John Doe’ defendants allegedly engaged in wire fraud, bank fraud and illegal interception of electronic communications.

As part of the enforcement action the Coreflood botnet announced Wednesday, five command and control servers (C&Cs) that remotely controlled hundreds of thousands of infected computers were seized, as were 29 domain names used by the botnet to communicate with the C&C servers.

The government replaced the illegal C&Cs with substitute servers to prevent Coreflood from being used for any more malicious activity.

’The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,’ said U.S. Attorney David B. Fein for the District of Connecticut, in a statement. ’I want to commend our industry partners for their collaboration with law enforcement to achieve this great result.’

In the complaint, the government claims Coreflood records keystrokes and private communications on compromised computers, and steals passwords, usernames and other personal and financial information. As of about February 2010, there were approximately 2.3 million infected computers that either had been or were part of the botnet. More than 1.8 million of those appear to have been in the U.S., according to the complaint.

The temporary restraining order authorizes the government to respond to requests from infected computers in the U.S. with a command that temporarily stops the malware from running on the infected machine, according to authorities. During that time, the defendants will not be able to introduce different versions of the Coreflood malware onto the infected computers, authorities said.

Among the victims mentioned in the complaint is a real estate company in Michigan whose bank account was robbed of nearly $116,000. A law firm in South Carolina was said to have been defrauded of more than $78,000.

’It is hard to estimate the actual loot, but the criminals likely made tens of millions of dollars, based on the estimates in the complaint filed by the Department of Justice,’ said Dave Marcus, McAfee Labs research and communications director, in a statement. ’It is not outside of the realm of possibility that they netted more than…$100 million. The attackers were collecting personal information including bank account details over a period of time.’