According to a report posted Wednesday on the Wired Threat Level blog, and a Thursday report by security blogger Brian Krebs, the US Justice Department and FBI were granted the power this week to seize the enormous Coreflood botnet, a decade-old web of infected PCs that reportedly included millions of machines, and is allegedly responsible for the theft of millions of dollars over that time.
Most notable about the seizure is the fact that for the first time, the Justice Department sought and received permission to seize control of a botnet and send a signal to the millions of infected computers to disable the malicious software.
On Monday, the US Attorney’s Office for the District of Connecticut filed a civil complaint against 13 “John Doe” defendants it claimed were running the botnet, and was given permission to seize 29 domains used to control Coreflood’s operations. It was also granted a restraining order enabling it to send the kill command to infected machines.
The Coreflood court filing is available to read on Scribd.com.
According to Wired, the takeover happened Tuesday evening, and the shutdown command was sent to infected machines in the US. The government will not be making any efforts to collect the IP information of infected machines.
The takeover was conducted by transferring operation of the command-and-control servers orchestrating the botnet to the non-profit Internet Systems Consortium, which managed the seizure under the supervision of law enforcement this week.
Krebs quotes ISC president Barry Greene who said the takedown was a significant step for the combating of botnet activity in the US. “People have been saying we should be able to do this for a long time,” he said, “and nobody has done what we’re doing until now.
According to Krebs, the Dutch government used similar tactics to take down the Bredolab botnet last year, redirecting users to web pages that warned them of the infection. Microsoft convinced a court to let it take control of the Rustock spam botnet’s domains and computers in March, and used those to disable it.
The Wired report points out that some are critical of the government’s actions in this case – the Electronic Frontier Foundation called it a “sketchy” move. However, it also points out that the FBI is offering the operators of infected machines the opportunity to “opt out” of the terms of its restrainging order.
Wired says the Coreflood operators began distributing an updated variant of the malicious botnet code on Tuesday, but that the kill command appears to work on that version as well.