back to article Feds declare victory over notorious Coreflood botnet

Federal authorities say they have crippled a notorious botnet that penetrated some of the world's most sensitive organizations, thanks to an unprecedented take-down strategy that used a government-run server that communicated directly with infected PCs. Coreflood, as the network of compromised computers is known, enslaved …


This topic is closed for new posts.
  1. Daniel O'Regan


    So they reckon they were safe running a command on remote PCs? So if the next viruses STOP command formats the hard disk who get the blame?

    1. A handle is required

      Give them credit

      I'm sure they researched what the command actually does before blindly trusting it, as opposed to:

      Fed 1: How do we disable the botnet on the infected PCs?

      Fed 2: Well, we could use this STOP command, but first we'd have to research what the comman..

      Fed 1: NO! Do it, do it now!

      1. Anonymous Coward

        STOP command

        I'm pretty sure the malware writers wouldn't be silly enough to call it something so damn obvious too.

        Likely, "STOP" is a mnemonic for those of us who aren't familiar with the malware's internals.

  2. oopsie

    licencing conditions

    I'm moderatly surprised that Microsoft havn'g introduced licencing conditions yet that allow them to remove software from people's machines.

    Yes, i'm aware of the implications etc. Still kinda surprised that they havn't done it though.

    1. Shadowmanx2009
      Thumb Up

      They have

      It's called the Malicious Software Removal Tool which most Windows users have installed (unless they blocked it) :

    2. Steven Roper

      And they have

      with Windows Phone 7 and Windows 8, bringing them into line with Amazon, Google, Apple and every other fucking OS/device manufacturer out there who think they've now got the right to reach into my devices and mess with my apps and data.

      TBH I'm in two minds about this one. While I applaud the FBI's efforts to take down a botnet and I agree that such measures are necessary to combat the scourge or computer crime, I have to ask at the same time - who says what's malware?

      Consider this: Granted they currently have to ask permission, but for how long once the door is open? The FBI removing a virus from my machine is one thing. The FBI removing my torrent clients, DRM-removal software or No-CD cracks, just because the music/movie/games industries don't like them is something else. And while that might not have happened yet, opening the legal door to allowing the FBI or other organisations remote access to people's computers to remove malware means it's only a matter of time.

      1. redxine
        Big Brother

        "Who says what's malware"

        "Who says what's malware" == the issue that is trusted computing.

        The fact of the matter is that control of this decision is moving far away from the users and into the hands of the big spenders.

  3. sam 16

    The expense of what?

    I read a paper a while ago on hijacking botnets by predicting the URL of the next command server and registering it first, so presumably they have to re-predict every day or so.

    However... after the prediction code is written, what exactly is the expense of maintaining this server? I'd value what it does at thousands of dollars.

    Maybe the government really do pay over the odds for hosting...

  4. David Kelly 2

    This speaks poorly for AV companies

    Coreflood has been in operation since 2002 and, "By the end of May, more than 20 of the major AV products detected the latest versions of the Coreflood malware."

    Had the AV companies been doing their jobs, one would think every single one of them should have been able to detect Coreflood and every variation for many years now.

    1. Elmer Phud Silver badge

      AV companies have been doing their jobs

      The AV companies have been issuing scare stories, trying to get more people to use thier products, more scares =more money. Many folks haven't a clue about how these days most of the stuff they are 'safe' from hasn't been seen in the wild for a long time.

      However, it's not always easy for the AV sw to find stuff that the punter has either 'asked' for it to be installed or went somewhere and never knew anything about it. Some of the nasties out there are constantly honed by rather good engineers who always ensure they have the latest AV sw to test with.

      A lot of the time it depends how you test and what you test with - that's why some of us have a set of separate tools and don't necessarily rely on the bog-standard AV stuff.

      Anyway - 'AV' doesn't really describe it properly nowadays but it's nice to use for the general public, they think it's like taking penicillin but also these days penicillin won't cure everything.

  5. Dave Bell

    Too focused on the tech

    One obvious point missing here: have they tracked down the human criminals?

  6. dave 46

    Too soft on the infected users

    the ISPs should have pulled the plug on the zombies until the client paid for a technician to go out and clean their PC(s), they should also have to provide proof they are running up-to-date AV software for a period of 3 years after being identified as a zombie.

    ISPs that have identified zombie clients and do not follow the above rules should be cut off upstream.

    I don't see why we're still tip toeing around with what is a serious threat to both the commercial and free speech future of the internet.

    1. Elmer Phud Silver badge


      What the bot-herders do is commercial, it's part of the spirit of Free Enterprise, ie. be selfish and make money. Free speech is a pain in the arse unless it's a heavily procsribed 'free'.

      As an ex-broadband helldesk person the early days saw loads of people totally unaware of thier machines constantly sending out far more data than was coming in - and bearing in mind the down v;s up ratio it's easy to spot. (our diagnostic procedures never took this in to account). ISP's will not cut off thier subs - it will take a lot of changes to tier diagnostics and they would need to employ more people.

      This 'technician' who pays for the visit? The sub or the ISP?

      The quality of technician has dropped dramatically to the point where your average 'tech' is a Sky installer. Whatever it is just replace it or shove the blame elsewhere - job closed. There is no requirement to think, they are not even given time to think.

      Remote checking is available but I wouldn't let anyone go in via remote access - they don't know what they are doing and only work to a flowsheet on the screen - thinking is verboten, it's one of the reasons I jacked it in, not being allowed to think past moving the job on to someone else.

      Punters buy a machine and occasionally continue subscribing to whatever rip-off merchants AV was pre-installed. As far as they are concerned they are protected. What you are sort of suggesting is state-control.

    2. Someone Else Silver badge


      Who died and appointed you my (or anybody else's) nanny?


  7. This post has been deleted by a moderator

  8. Andus McCoatover

    Oh, we like this!!!!!

    10 out of 10 to the FBI!

    Seriously good work. Hobble the fuc*kers at their own game.

    (Icon, 'cos a pint of Tennants Tramp Special to the FBI is due.)

  9. XMAN

    Here's hoping this doesn't set a prescendent

    Lets hope that this doesn't set a precedent that the US can access peoples computers to remove something that *they* consider bad.

    Oh yeah these guys have this terrible software installed called BitTorrent. We contacted 25 million users and 59 replied. So we went ahead and removed the software from 25 million machines.

  10. NomNomNom

    is it time?

    is it time everyone by law had to enable remote assistance on their machines so that the FBI or NSA can log in to see or fix what was going on? This would solve all the problems concerning spam and hackers.

    Think about it. The hackers would be trying to DOS something and suddenly it would say "The FBI have logged in" and even if they minimize the DOS window the officer would take control of the mouse and be able to check what they had hidden. Busted.

    To allay privacy concerns I am thinking something like a social networking site for law enforcement that everyone must be registered with. That way they can send you messages when they are logged in like "just checking :)", "just removing a botnet off your computer :)", or "just checking your email for phishing scams :)" and you can also click on their profile to see who they are like it will list where they live and their interests and hobbies so there is accountability. Cuz frankly the way the internet works at the moment is a recipe for disaster everyday it seems another company gets customer details hacked and my inbox is really full of spam.

    1. Someone Else Silver badge

      Short answer: No.

      Longer answer: Fuck no!

      I'm assuming you left off a <sarcasm> tag in your post. If you didn't and actually meant this, see my response to dave 46 above, then bugger off!

  11. Adrian Challinor
    Big Brother

    Worrying development

    I appluad the way this was done and believe that the intentions were honorable. However, some of the implications make me a little uneasy.

    >> Only 24 identifiable victims agreed to let the FBI issue the uninstall command, but the

    >> consent still resulted in the instruction being sent to 19,000 computers, Special Agent

    >> Kenneth Keller wrote in a declaration filed in federal court last week. None of the

    >> machines suffered adverse consequences.

    Does this mean that nearly 19,000 computer had the uninstall command issued to them without authorisation?

    And how do they KNOW that there were no adverse consequences? Who proved that all 19,000 were fine afterwards?

    The problem I have here is that the Feds, however well meaning they are, have interfered with a users computer without their authority. If this was the other way round you would get arrested. The issue I have is that the law is being applied in an unequal manner.

    As I say, I applaud the idea, and respect the resolution, and I think we need more of this. But we also need to understand the monster we are releasing when we blindly permit the authorities to decide what software we are permitted to run and allow them to remove it without our consent.

    Big Brother icon for obvious reasons

    1. Pete B

      Re: Worrying development

      "Does this mean that nearly 19,000 computer had the uninstall command issued to them without authorisation?"

      I *hope* it means that they manage to contact 24 victims who on average had about 800 machines each ie they're talking about SME, not home users. If this is correct then they acted correctly.

    2. Tasogare

      Re: Worrying development

      I second the question about 19000 machines vs. 24 permissions granted. I think the concerns about removing things like bittorrent a bit exaggerated though. For one thing, I'm not even sure it's possible; bots provide a command interface to external users. BT doesn't. For the FBI to remotely remove a program from your computer, it must first be running a service that allows remote removals.

      The above assumes MS hasn't inserted a hidden FBI back door at their request, of we have a tinfoil hat icon? I don't see a tinfoil hat icon...

      Stopping the bot remotely without uninstalling it seems a decent middle ground to me. Leaving things alone invites the problem to spread; directly getting permission from everyone is impractical. Temporary remote stops seem to have gotten the job done with the minimum invasiveness possible. Compare that to, say, the TSA.

      Unfortunately the article doesn't specify how much of the drop was from the stop commands, and how much was from the removals. That would be nice to know.

      1. El Cid Campeador
        Big Brother

        Agreed--worrying and a tough call.

        This just highlights the need for the conversation about security to get out of the geek community and hit the mainstream. On the one hand, I am extremely concerned about any government or private agency reaching into anybody's computer without their informed consent (Google, I'm looking in your direction), but on the other hand these bots (and other malware) are endangering innocent users and the very Internet we all depend on. What is even more unfortunate is that nine times out of ten discussing anything like this with an ordinary user gets you a shrug and a "meh." So... at what point does ignorance cease to be an excuse? And, as has been asked above, at where exactly is the line between dodgy and flat-out malware? These are NOT easy questions and drawing the line in the wrong place could have catastrophic consequences: too slack and the web gets overwhelmed by the bad guys, too tight and we have Big Brother (if we don't already--if the governments of the world were less clueless we'd already be boned). We must broaden this conversation if we're going to get anything resembling a workable solution.

  12. Anonymous Coward

    infected PC ?

    > Federal authorities say they have crippled a notorious botnet that penetrated some of the world's most sensitive organizations, thanks to an unprecedented take-down strategy that used a government-run server that communicated directly with infected PCs. Coreflood, as the network of compromised computers is known, enslaved almost 800,000 machines ..

    Why not ban the use of Windows on the Internet and prosecute the people who made the "infected PCs"

    1. Rustybucket

      A better idea...

      "Why not ban the use of Windows on the Internet and prosecute the people who made the "infected PCs"

      Why not ban people who post idiotic twaddle instead?

  13. Anonymous Coward
    Anonymous Coward


    Damn buncha "what if" scenario makers here......get a life!

    for all you "IT professionals", if you can't do the job, move over or keep your crap off the net!

    I can't believe the petty bitching people are doing. They did what no one else could or would do, it's not the first time this has been done, and it won't be the last. If you are going to have a computer hooked up to the net, then it's common sense to have some type of A/V software to protect it. It's not an issue with money or knowledge, there is plenty of free software available that requires no interaction. for that group that doesn't know what a virus is, how dangerous the internet can be, or doesn't know enough to install A/V software, then let someone do it for you or get off the net.

  14. Anonymous Coward

    Lesser of two evils


    Whom would you prefer to have access to your machines?

    1. Evil Criminals in control of your machine and your life, with neither accountability nor constraint.


    2. a cybersecurity force with an accountable legal process providing detailed objectives, scope of limitations, source code and audit trail for combat?

    This battle cannot be won while the white hats hands are tied as we are being pissed on.

    Taking control of a botnet for the purpose of shutting it down is fine by me, as long as that is the aim, including gathering data for the purpose of tracing the benefactors.

    All this paranoia about Feds having access to peoples computers is misplaced.

    It is like insisting on verifying an Agent's ID at the front door, while you have no walls and being robbed blind behind you.

    Just do it and get rid of the shit. These zombies are not only a threat to their hosts, but a public nuisance. If the host suffers some loss by remedial action, shit happens. It was their fault for being infected in the first place. They were probably saved greater loss if left to continue, and the rest of the world becomes a safer place.

    A doctor does not care about the crimes of a patient, just aims to heal. Some viruses kill their victims in spite of doctors best efforts. Deal with it. Zombies are sick PCs that need healing.

    Time to untie the hands.


  15. Turtle


    If someone is notified that their computer is being used as part of a botnet, and they do nothing about it, and/or if the machine continues to be used as part of a botnet after being notified, they are no longer a *victim* of a crime, they are now *complicit* in crime and need to be treated appropriately. (Even if, I need to remark, they are conveniently diagnosed with Assberger's Syndrome after they are apprehended.)

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019