Home News Stories 2011 April Botnet Operation Disabled

Botnet Operation Disabled

Thieves tracked keystrokes on two million infected computers to steal users' information.

Linked computers
Botnets are networks of virus-infected computers controlled remotely by an attacker. The Coreflood virus is a key-logging program that allows cyber thieves to steal personal and financial information by recording unsuspecting users’ every keystroke.


Botnet Operation Disabled
FBI Seizes Servers to Stop Cyber Fraud

04/14/11

In an unprecedented move in the fight against cyber crime, the FBI has disrupted an international cyber fraud operation by seizing the servers that had infected as many as two million computers with malicious software.

Botnets are networks of virus-infected computers controlled remotely by an attacker. They can be used to steal funds, hijack identities, and commit other crimes. The botnet in this case involves the potent Coreflood virus, a key-logging program that allows cyber thieves to steal personal and financial information by recording unsuspecting users’ every keystroke.

Woman typing on laptop

The Coreflood Virus 

The Coreflood virus infects only Microsoft Windows-based computers. Generally, most users will not be able to tell if their computers are infected. It is therefore important to take the following steps:

- Make sure your Microsoft Windows Automatic Updates are turned on;

- Run anti-virus programs and ensure that theyare up to date;

- Run a security firewall on your computer; and

- Check your online banking and credit history to make sure you have not been compromised. If you have been compromised, contact your financial institution.

To learn more about what you can do to protect your computer, including how to download and receive updates on security vulnerabilities, go to the following sites operated by U.S. Computer Emergency Readiness Team (CERT) and the Federal Trade Commission, respectively: http://www.us-cert.gov/ncas/tips/ST06-001 and onguardonline.gov/topics/malware.aspx.

Once a computer or network of computers is infected by Coreflood—infection may occur when users open a malicious e-mail attachment—thieves control the malware through remote servers. The Department of Justice yesterday received search warrants to effectively disable the Coreflood botnet by seizing the five U.S. servers used by the hackers.

“Botnets and the cyber criminals who deploy them jeopardize the economic security of the United States and the dependability of the nation’s information infrastructure,” said Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response, and Services Branch. “These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States,” Henry noted, “and reflect our commitment to being creative and proactive in making the Internet more secure.”

Now that we have interrupted the operation of the botnet servers, our cyber specialists can prevent Coreflood from sending stolen financial information to the cyber thieves. But victims’ computers still remain infected. That’s why we have been working closely with our private-sector partners.

Anti-virus companies are developing updated signatures to detect and remove Coreflood. To disinfect Microsoft Windows-based systems—and to keep them virus free—users are encouraged to run anti-virus software and to keep their Microsoft Windows Updates current (see sidebar).

Victimized computers that have not been disinfected using anti-virus software updates will continue to attempt to contact the Coreflood botnet servers. When this happens, we will respond by issuing a temporary stop command to the virus and then alert that user’s Internet service provider (ISP), who will inform the customer that their computer is still infected. At no time will we be collecting any personal data from victim computers.

“For most infected users who are conscientious about keeping their anti-virus programs up to date, the process of disinfection will be as invisible as the Coreflood infection was itself,” said one of our cyber agents. Still, there is a process in place with ISPs to make sure notification occurs if necessary.

We began our Coreflood investigation in April 2009 when a Connecticut-based company realized that hundreds of computers on its networks had been infected. Before we shut down the Coreflood operation, cyber thieves made numerous fraudulent wire transfers, costing companies hundreds of thousands of dollars.

Yesterday, a civil complaint was filed in Connecticut against 13 “John Doe” defendants, alleging that they engaged in wire fraud, bank fraud, and illegal interception of electronic communications. Search warrants were obtained for the command and control servers in Arizona, Georgia, Texas, Ohio, and California. And a seizure warrant was issued in Connecticut for 29 Internet domain names used by the thieves.

Resources:
- Press release and court documents