Computer Crime Research Center


FBI set to kill secret-stealing Russian 'botnet'

Date: May 10, 2011
By: Mark Clayton

The FBI has seized control of a Russian cybercrime enterprise, but to kill it completely, officials may ask to rip some malware out of your computer. US diplomatic secrets could be at stake.

The FBI might be asking your permission soon to reach into your computer and rip something out. And you don’t know it’s there.

In a first for US law enforcement efforts to make the Internet more secure, the Federal Bureau of Investigation has seized control of a Russian cybercrime enterprise that has enslaved millions of personal computers and may have gained access to US diplomatic, military, and law enforcement computer systems.

As if WikiLeaks wasn’t bad enough.

But in order to destroy the criminal “botnet” for good, the FBI has to take yet another aggressive step that is alarming privacy rights advocates: remove the malware from the computers in the network. Hopefully all that gets taken out is the malware.

MONITOR QUIZ: How much do you know about cybersecurity?

The FBI’s target is a “robot network” dubbed the “Coreflood botnet” by investigators. It’s a worldwide network created by a Russian cybercrime gang that took control of 2.3 million personal computers that vacuumed up vast amounts of US personal financial and government data for almost a decade before being targeted for extermination.

More than a million of the personal computers recruited into the botnet resided in the US, according to a filing by the Department of Justice in federal court in Connecticut last month.

As of three years ago, Coreflood was sucking up about a gigabyte of data per day and as much as 500 gigabytes a year – about equal to five library floors filled with academic journals. But it was not just credit card, wire transfer, and bank passwords – its primary target – that worried investigators.

At some point, investigators discovered, Coreflood sent back to Russia “master key” access to computer systems belonging to at least one US embassy in the Middle East – which made government officials more than a little nervous, a computer security firm investigator told the Monitor.

Also, as of this year, the Coreflood botnet had assimilated into the US portion of its network hundreds of thousands of computers belonging to 17 state or local government agencies, including one police department, three airports, and two defense contractors. Add to that list five banks or financial institutions, about 30 colleges or universities, and approximately 20 hospital or health care companies as well as hundreds of businesses, according to the Justice Department’s court filing.

Botnets are nearly ideal for criminals

Anonymous and cheap to build, botnets are a nearly ideal criminal platform on the Internet for attacks aimed at shutting down company websites – unless a payment is made – and especially pilfering personal banking credentials. Symantec, the antivirus company, reported nearly 7 million botnets on the Internet in 2009. As powerful as the Coreflood botnet became, it is old enough that most updated antivirus programs should protect computers from infection.

Millions of criminal botnets operate on the Internet today – turning individuals’ personal computers surreptitiously into “zombies” or “bots” that will do whatever their criminal “bot masters” order them to do – without the owner knowing anything about it.

Authorities have tried for years to stop botnets before – with mixed results.

But last month, the Department of Justice and FBI moved to take Coreflood down using an approach that could be a model for handling botnets more effectively in the future. The method? Basically, law enforcement authorities took control of the botnet by inserting into the network their own “command and control” computers capable of giving orders to the network’s individual PC “bots.”

Add comment  Email to a Friend

Copyright © 2001-2013 Computer Crime Research Center
CCRC logo