Justice, FBI bust 2 million-computer Coreflood botnet

Agents use new tactic to disable malware on long-running operation; 13 people charged

The Justice Department and the FBI, using a new tactic, seized control of and disabled a botnet that had infected more than 2 million computers worldwide as part of an international fraud scheme, according to agency officials.

The U.S. Attorney’s Office for the District of Connecticut filed a civil complaint against 13 unnamed defendants, charging them with engaging in wire fraud, bank fraud and illegal interception of electronic communications, Justice and FBI officials said in a joint statement.

Also, the U.S. District Court for the District of Connecticut seized 29 domain names and five command and control servers used to remotely control infected computers. The agencies also issued a temporary restraining order to replace the illegal servers with substitutes to prevent the botnet from running and to disable the malware on infected computers.

The botnet, called Coreflood, exploits computers that run Windows operating systems. It uses keystroke capture to steal private and financial information, including information on corporate networks, for the purpose of stealing funds and conducting other criminal activities. Coreflood is believed to have originated in Russia and been in operation for a decade.

Related coverage:

U.S. Marshals, Microsoft take down massive spam network

500G of data captured by single botnet

“Botnets and the cyber criminals who deploy them jeopardize the economic security of the United States and the dependability of the nation's information infrastructure,” said Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, in the joint statement. “These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure.”

In a press release, the Connecticut attorney’s office described the effort as the “most complete and comprehensive enforcement action ever taken by U.S authorities to disable an international botnet.” A report in Threatpost said it is the first known instance of authorities disabling malware on infected hosts.

Identified owners of infected computers will be able to opt out of the temporary restraining order should they wish to continue running Coreflood for some reason, and authorities will not access information on the infected computers. Hundreds of thousands of computers in the United States are infected with the malware, according to the release.

In 2008, GCN reported that Coreflood had captured data from more than 225,000 online accounts, including bank, credit card, e-mail, online retail, stock trading, payment processing, mortgage and finance company accounts.

Coreflood is not the only large-scale botnet. Last month, federal law enforcement agencies and Microsoft announced that they had disabled a 1 million-computer botnet named Rustock that was responsible for sending out billions of spam messages a day.

About the Author

Kathleen Hickey is a freelance writer for GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/Shutterstock.com)

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected