April 26, 2011, 4:45 PM — Although the Federal Bureau of Investigation (FBI) said a federal temporary restraining order has crippled the Coreflood botnet in the U.S., Microsoft today took the unusual step of pushing a second version of its monthly malware cleaner to Windows users to again quash the botnet.
Coreflood made the news earlier this month when the U.S. Department of Justice (DOJ) and FBI obtained an unprecedented temporary restraining order that allowed them to seize command-and-control servers that managed the botnet's estimated 2.3 million compromised PCs.
Those servers were replaced by government-controlled systems.
The court order also allowed the DOJ and FBI to issue commands using those replacement servers that disabled, but did not uninstall, Coreflood on infected PCs that asked for new commands.
In an affidavit filed in a Connecticut federal court last Saturday, FBI Special Agent Briana Neumiller said that the server seizure and "kill-switch" instructions issued to the malware have crippled the botnet.
On April 13, the day after the DOJ and FBI seized the Coreflood servers, the government replacements received nearly 800,000 command requests, or "beacons," from Coreflood-infected machines in the U.S. A week later, the number of beacons had plummeted to less than 100,000.
"Two possible reasons why the Coreflood Botnet is getting smaller are as follows: (i) because Coreflood has not been able to update itself on infected computers, anti-virus vendors have been able to release virus signatures capable of detecting the latest versions of Coreflood," Neumiller said in her affidavit. "And (ii) as victims of Coreflood are notified of their infected computers, they may be disconnecting the infected computers from the Internet or taking other measures to disable or remove Coreflood."
The restraining order, which was transformed from "temporary" to "preliminary" this week by U.S. District Court Judge Vanessa Bryant, allows the DOJ and FBI to identify infected computers using IP addresses. The agencies then notify the ISPs (Internet service providers) responsible for those addresses; the ISPs are to send the owners of those PCs a form letter telling them that their computer is infected and urging them to run tools to delete the malware.
While the volume of beacons from U.S. PCs has fallen to one-tenth of the number prior to the takedown, Neumiller noted that beacons from foreign machines -- which haven't received instructions to stop running the bot -- have not dropped as rapidly. As of last Friday, beacons from foreign PCs were about a quarter that of April 13.