The FBI might be asking your permission soon to reach into your computer and rip something out. And you don’t know it’s there.
In a first for US law enforcement efforts to make the Internet more secure, the Federal Bureau of Investigation has seized control of a Russian cybercrime enterprise that has enslaved millions of personal computers and may have gained access to US diplomatic, military, and law enforcement computer systems.
As if WikiLeaks wasn’t bad enough.
But to destroy the criminal “botnet” for good, the FBI has to take yet another aggressive step that is alarming privacy rights advocates: remove the malware from the computers in the network. Hopefully all that gets taken out is the malware.
The FBI’s target is a “robot network” dubbed the “Coreflood botnet” by investigators. It’s a worldwide network created by a Russian cybercrime gang that took control of 2.3 million personal computers that vacuumed up vast amounts of US personal financial and government data for almost a decade before being targeted for extermination.
As of three years ago, Coreflood was sucking up about a gigabyte of data per day and as much as 500 gigabytes a year – about equal to five library floors filled with academic journals. But it was not just credit card, wire transfer, and bank passwords – its primary target – that worried investigators.
At some point, investigators discovered, Coreflood sent back to Russia “master key” access to computer systems belonging to at least one US embassy in the Middle East – which made government officials more than a little nervous, a computer security firm investigator told the Monitor.
Also, as of this year, the Coreflood botnet had assimilated into the US portion of its network hundreds of thousands of computers belonging to 17 state or local government agencies, including one police department, three airports, and two defense contractors. Add to that list five banks or financial institutions, about 30 colleges or universities, and approximately 20 hospital or health-care companies as well as hundreds of businesses, according to the Justice Department’s court filing.
Botnets are nearly ideal for criminals
Anonymous and cheap to build, botnets are a nearly ideal criminal platform on the Internet for attacks aimed at shutting down company websites – unless a payment is made – and especially pilfering personal banking credentials. Symantec, the antivirus company, reported nearly 7 million botnets on the Internet in 2009. As powerful as the Coreflood botnet became, it is old enough that most updated antivirus programs should protect computers from infection.
Millions of criminal botnets operate on the Internet today – turning individuals’ personal computers surreptitiously into “zombies” or “bots” that will do whatever their criminal “bot masters” order them to do, without the owner knowing anything about it.
Authorities have tried for years to stop botnets – with mixed results.
But last month, the Department of Justice and FBI moved to take Coreflood down using an approach that could be a model for handling botnets more effectively in the future. The method? Basically, law enforcement authorities took control of the botnet by inserting into the network their own “command and control” computers capable of giving orders to the network’s individual PC “bots.”
Right now, the FBI controls Coreflood.
To control its sprawling botnet, and gain access to personal bank accounts and other financial information, the Coreflood cybergang sent commands from computers in Russia. Those commands first went through computers the gang commandeered in Estonia, which then relayed instructions to “command and control” computers located in Texas, California, Ohio, Arizona, and Georgia.
The gang also used computer hosting services of unwitting Internet providers in New York, New Jersey, Pennsylvania, Massachusetts, Virginia, Florida, Arizona, Nevada, California, Oregon, and Washington.
Often the command sent was to search for words on the infected computers that indicated banking or credit-card information – and send it along. But just as often, Coreflood was instructed to send it all – giving the botnet a voracious appetite for all kinds of data. Its enormous, nonselective appetite for data may have been its undoing.
On April 12, a US District Court judge in Connecticut granted a temporary restraining order against 13 “John Doe” defendants – the alleged members of the Russian cybergang. The court gave the FBI permission to take the unprecedented step of sending an electronic “pause” command to all US-based Coreflood-infected computers – machines whose owners had no idea their computers were being controlled by a Russian gang.
PC bots told to sleep
Working closely with private computer security experts, the FBI first substituted its own computers for Coreflood's. So when the PC bots “beaconed” for instructions, they got the FBI substitutes instead. The FBI machines responded by sending commands ordering the malicious Coreflood software inside the bot computers to sleep – just do nothing.
As a result, by late last month, the number of Coreflood bots in the network that were actively “phoning home” had dropped by 90 percent, according to federal court filings last week. But that was not a permanent fix. Putting the program to sleep is not the same as removing it. Unless the malware is removed by a Microsoft or antivirus update downloaded onto the computer, it will start up again the next time the computer is rebooted.
So Step 2 began last week with the FBI seeking and getting court permission to send a “kill” command to those same computers, effectively uninstalling the botnet software. Before it sends the command, however, the FBI told the court it would get written permission from each computer owner, the court filing said.
“These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure,” Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, said in a statement.
Privacy advocates concerned
Still, the idea of having the FBI sending commands to a million computers with unknown impact on the computers is unsettling to privacy advocates.
“It's a terrible, huge botnet and if the FBI can take it out it would erase a few problems,” acknowledges Chris Palmer, technology director for the Electronic Frontier Foundation, a computer privacy group based in San Francisco. “I do worry about what could happen to individuals’ computers if things don't go well. I just hope it doesn't expand beyond the noble goal.”
Others echo that view.
“If it doesn't work, we can't say where it might lead,” writes Paul Ducklin, head of technology in the Asia Pacific region for Sophos, a computer security firm based in Britain. “Will the next step be that the cops give up? Or that they push for yet more power? And, whichever way they go, how will people react?”
So far, however, the benefits appear clear to at least some victims waking up to the threat. In one example, the chief information security officer of a hospital health-care network discovered that 2,000 of the hospital’s 14,000 computers were infected by Coreflood. Because of the FBI’s move to put Coreflood out of action, the hospital was able to investigate and repair its machines instead of desperately trying to stop data from being pulled out of thousands of infected computers, according to the court filing.
But with millions of botnets available to take down, why focus on Coreflood? Though the Coreflood gang took care to remain “below the radar,” investigators say they may have finally hit a nerve – a US government so sensitized to data theft by repeated cyberintrusions that it apparently decided enough was enough.
“Part of the reason I think it received some attention by the government is that Coreflood steals an enormous amount of data,” says Don Jackson, director of threat intelligence for Dell SecureWorks in Atlanta, whose company is one of the few to study the botnet in detail since 2003.
Unlike a far more well-known banking botnet program called Zeus, which is programmed to know exactly which bits and bytes to go after to make money, financial records were “just part of volumes of information” that Coreflood stole.
“Coreflood itself is indiscriminate,” Mr. Jackson says. “It will steal all the information in your docs folder, it will steal all the passwords, all the e-mail accounts, upload all of that to the servers. Most of it may never be seen by the [Coreflood] operators. They're just searching for information in that vast data store that they can use. But within that information – because it does steal everything, and monitors everything – it transfers a lot of data back to the operators. And that includes information for sensitive government systems.”
In case of one key state police law enforcement computer system it infiltrated, Coreflood captured passwords so “you could tell which drug dealer had a civilian informant sign an affidavit in order to produce a warrant,” Jackson says.
Master key for embassy in Middle East
“One of the more telling pieces of information we found was a login – basically a master key to the networks at US embassies in Middle Eastern countries,” Jackson says. “Whether the operators [of Coreflood] realized they had that or not is one thing. But if they did, it’s a huge risk to have that in the hand of Russian criminals and the kinds of people they associate with.”
Asked to describe which embassies, Jackson said the master key was “for one US embassy in this case. We turned that over to the DOJ, and the State Department took measures – more than a year ago – and it’s been well taken care of.... That’s a good example of the kind of information Coreflood steals in systems that would really be worthy of the government's interest.”
Was there a tipping point that led the FBI to swoop in on Coreflood? Apparently it took Coreflood hammering several agencies, including Pentagon systems.
“The embassy systems [that were affected] were the State Department’s,” he says. “What I can say about it is that government and military systems were impacted by it – some many years ago…. Some agencies were aware of it a lot earlier than others.”