Robot wallpaper image from blingcheese.com
Today, the Department of Justice and FBI announced it has cracked a network of hackers who have infected more than 2 million computers with a malicious “bot” program that hijacks sensitive personal and financial data from computers.
Known as a “bot” network – because the malware can be controlled remotely like a robot – it infects computers with a software program known as Coreflood, which installs itself by exploiting a vulnerability in computers running Windows operating systems.
The press release issued today by the FBI calls this sting “the most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.”
Executive Assistant Director of the FBI’s Criminal, Cyber, Response and Services Branch Shawn Henry said, “These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure.”
Besides infecting personal computers, the network had accessed corporate and business computer networks and used information they contain to steal funds.
According to information contained in court filings, the group of all computers infected with Coreflood – known as the Coreflood botnet – is believed to have been operating for nearly a decade and to have infected approximately 2,336,542 computers around the world (About 1,853,005 are in the U.S.).
According to court documents, examples of illegal fund transfers allegedly conducted via Coreflood botnet include:
- $115,771 from a real estate company in Michigan,
- $78,421 from a law firm in South Carolina,
- $151,201 from an investment company in North Carolina,
- $934,528 in wire transfers that were attempted to be taken from a defense contractor in Tennessee, but was successful in stealing about $241,866.
Connecticut’s complaint filed against 13 “John Does” states, “The full extent of the financial loss caused by the Coreflood Botnet is not known, due in part to the large number of infected computers and the quantity of stolen data.”
The U.S. Attorney’s Office for the District of Connecticut has filed a civil complaint against 13 “John Doe” defendants that accuses them of engaging in wire fraud, bank fraud and illegal interception of electronic communications.
Search warrants also were obtained for computer servers throughout the country, and a seizure warrant was obtained in U.S. District Court for the District of Connecticut for 29 domain names. (Click here for a PDF version of the warrant.)
“The seizure of the Coreflood servers and Internet domain names is expected to prevent criminals from using Coreflood or computers infected by Coreflood for their nefarious purposes,” said U.S. Attorney David B. Fein for the District of Connecticut. “I want to commend our industry partners for their collaboration with law enforcement to achieve this great result.”
Assistance was provided by Microsoft, the Internet Systems Consortium and other private industry partners, the release states.
Government will monitor infected computers
The government now has a temporary restraining order that authorizes it to respond to signals sent from infected computers in the United States, in order to stop the Coreflood software from running.
The Coreflood malware on a victim’s computer is programmed to request directions and commands from C & C [command-and-control] servers on a routine basis. A single C&C server can control millions of bots.
New versions of the malware are introduced using the C & C servers in an effort to stay ahead of security software and other virus protection updates.
If the C & C servers do not respond, the existing Coreflood malware continues to run on the victim’s computer, collecting personal and financial information.
The temporary restraining order authorizes the government to respond to these requests from infected computers in the United States using substitute servers with a command that temporarily stops the malware from running on the infected computer.
During that time, the hackers behind Coreflood will not be able to introduce different versions of the Coreflood malware onto the infected computers.
This will give computer security providers time to update their virus signatures and malicious software removal tools so their customers can use them to remove the Coreflood malware, the release states.
Is your computer infected?
The press release also states that, “The Department of Justice and FBI, working with Internet service providers around the country, are committed to identifying and notifying as many innocent victims as possible who have been infected with Coreflood, in order to avoid or minimize future fraud losses and identity theft resulting from Coreflood.”
If you are among those who are contacted, “at no time will law enforcement authorities access any information that may be stored on an infected computer.”
The FBI also stresses that this crackdown does not mean that Coreflood malware or similar forms of malware have been removed from the Internet entirely.
“Nor does it mean that criminals will not attempt to build another botnet using a different version of the Coreflood malware or other malware,” the release states. “The best defense against such malware, and botnets in general, is for users to ensure their computers are protected by regularly-updated anti-virus security software.”
The crackdown is the result of an ongoing criminal investigation by the FBI’s New Haven CT Division, in coordination with the U.S. Marshals Service.
The matter is being prosecuted by the U.S. Attorney’s Office for the District of Connecticut, led by Assistant U.S. Attorney Edward Chang, and attorneys from the Computer Crime and Intellectual Property Section in the Justice Department’s Criminal Division.
The targeted domain names
Besides the U.S. (many in Virginia and Washington), the hackers targeted by the FBI sting also originate from Australia, Canada, Germany, India and the UK.
They also employ misleading terms such as “spamblocker,” “taxadvice, “wiki,” “wellness,” “flu.medicalcare” “ticket,” “onlinebooking,” “licensevalidate,” “gamer,” “logon,” “unreadmsg,” “mediastream” and “google” in their domain names.
Some of the domain names (and their tertiary domain names) include:
SINKHOLE-00.SHADOWSERVER.ORG; adv-webhost.com; node1.adv-webhost.com; alex.adv-webhost.com; antrexhost.com; ads.antrexhost.com; cafe.antrexhost.com; coffeeshop.antrexhost.com; marker.antrexhost.com; old.antrexhost.com; spamblocker.antrexhost.com; bonuspages.net;
And… carl.bonuspages.net; diplodoger.com; ns1.diplodoger.com; ehostville.com; taxadvice.ehostville.com; fishbonetree.biz; brew.fishbonetree.biz; googlestat.net; hostfarmville.net; inews.hostfarmville.net; hostfields.net; wiki.hostfields.net; wellness.hostfields.net; hostnetline.com; ticket.hostnetline.com; joy4host.com; just-twin.com; celsius.just-twin.com; licensevalidate.net; acdsee.licensevalidate.net; savupdate.licensevalidate.net; medicalcarenews.org; flu.medicalcarenews.org; medinnovation.org; vaccina.medinnovation.org; nebuladay.net; gamer.nebuladay.net;
And… nethostplus.net; accounts.nethostplus.net; imap.nethostplus.net; logon.nethostplus.net; mediastream.nethostplus.net; onlinebooking.nethostplus.net; pop3.nethostplus.net; schedules.nethostplus.net; taxfree.nethostplus.net; netwebplus.net; ipadnews.netwebplus.net;
And… penlist.net; butik2000.penlist.net; realgoday.net; dru.realgoday.net; stafilocox.net; exchange.stafilocox.net; unreadmsg.net; jane.unreadmsg.net; vip-studions.net; a-gps.vip-studions.net; and virtukon.com; kelvin.virtukon.com.
What you should do
Make sure you have virus and malware protection, make sure it’s up to date (usually there are daily updates), keep the program running and schedule a daily full scan.
To learn more about what you can do to protect your computer, including how to download and receive updates on security issues, visit these sites operated by U.S. Computer Emergency Readiness Team (CERT) and the Federal Trade Commission: us-cert.gov/nav/nt01 and onguardonline.gov/topics/malware.aspx
Posted April 13, 2011