FBI ‘controls’ criminal servers to disable international botnet

The FBI and the US Department of Justice have disabled an international ‘botnet’ after taking control of the criminals’ servers.

The botnet had infected more than two million computers with keylogging software as part of a massive fraud scheme.

It is the first time FBI investigators have used such a method and the Department of Justice had to obtain court permission from a judge to carry out the operation.

It enabled the authorities to issue its own commands, effectively ordering the malware to shut down. It also logged the IP addresses of compromised machines.

It means the authorities will be able to notify internet service providers (ISPs) about which machines have been infected and ISPs in turn can let victims know that their machines had been taken over.

A similar approach was used last year by Dutch police as part of its shutdown of the Bredolab botnet – a Russia-founded botnet mostly involved in viral e-mail spam.

Criminal seizure warrants and a temporary restraining order have been issued as part of the most complete and comprehensive enforcement action ever taken by US authorities to disable an international botnet.

The botnet is a network of hundreds of thousands of computers infected with a malicious software program known as Coreflood that records keystrokes and private communications on a computer and which installs itself by exploiting a vulnerability in computers running Windows operating systems. Coreflood allows infected computers to be controlled remotely by a command and control (C&C) server to steal usernames, passwords and private personal and financial information from unsuspecting computer users – including users on corporate computer networks – and using that information to steal funds.

Five C &C servers that remotely-controlled hundreds of thousands of infected computers were seized, as well as 29 domain names used by the Coreflood botnet to communicate with the C&C servers.