The Coreflood takedown: building a better, broader botnet response

Posted on April 15, 2011 - 11:33 by imeister

Wednesday’s court-sanctioned takedown of the Coreflood botnet by the Department of Justice and the FBI has made big headlines in badware news. This is the second high-profile takedown to make it through the U.S. court system in as many months; Microsoft persuaded a court to allow them to take down the Rustock botnet only a month ago. But there are some key differences in the legal posture and tactics used in Coreflood that should inform future efforts to take down botnets — and invite further questions.

  1. Government in the driver’s seat. The biggest procedural departure in the Coreflood action is the party bringing it: a government attorney, not a private corporation, is asking the court system for relief. When Microsoft filed suit in a federal court in Washington to shut down the Rustock botnet, it was not enough simply to present the court with strong evidence that illegal activity was taking place and that its proposed takedown tactics would stop it — it had to carry the burden of showing how Microsoft itself was harmed by the botnet’s activities. It took Microsoft an entire month to obtain the restraining order it required. The U.S. Attorney in the Coreflood action, by contrast, benefited from the legal presumption that the government has standing to act to stop Coreflood’s illegal activity (wire fraud, bank fraud, and illegal wiretapping): within two days of filing its complaint, the necessary restraining order was issued.
  2. Disabling the botnet, not just its heads. When Microsoft took down the Rustock botnet, it did so by seizing the U.S.-based command and control servers it had identified and disabling the domain names and DNS records Rustock used to route bot traffic to the servers. This left the Rustock botmasters unable to issue further orders to the compromised computers and eliminated the immediate threat Rustock posed; however, it left no obvious path for identifying and targeting individual bots for cleaning. In the Coreflood action, the court’s restraining order directed registrars and DNS providers to point the seized domains to two specially designed servers set up at the Internet Systems Consortium. The servers transmit a ‘kill’ signal to botnet members and log their IP addresses for followup. This approach transfers, rather than destroys, control of the botnet to law enforcement, and in so doing preserves the ability to identify botnet members as they ‘check in’ with the new command and control servers.
  3. Working with partners to clean affected computers. In addition to partnering with the Internet Systems Consortium, the government also coordinated the Coreflood shutdown with Microsoft. In a security bulletin released yesterday, Microsoft provided full disclosure of the workings of the Coreflood badware and updated its free Malicious Software Removal tool to allow affected users to clean their computers. According to Wired's Threat Level blog, the government intends to provide lists of affected U.S. IP addresses (which the government claims make up 1.8 million of the 2.3 million Coreflood botnet members) to ISPs so that users with compromised computers can be notified.

At this point, the Coreflood takedown seems like a valuable re-imagining of the legal and logistical processes used in past takedowns. While some, including the EFF, have expressed concerns about the government issuing commands to U.S. computers via a specialized command and control server, the question begs: is there a more appropriate party to request relief when U.S. law is violated? The takedown order and planned government response bear many of the hallmarks of the sort of collaboration StopBadware believes is critical to fighting badware. The government has enlisted registrars, registries, and DNS providers to wrest control of a botnet; Microsoft, to provide a freely available cure for infected computers; and is about to enlist ISPs to encourage users to rid themselves of badware.

It’s an object lesson in the need to coordinate among stakeholders in the Internet ecosystem, and it acknowledges that infected users and computers are important participants in that ecosystem. While the criminal activity enabled by botnets like Coreflood is the most obvious target for remediation, every member of a botnet is, by definition, a computer with unpatched and exploitable software vulnerabilities that can enable future badware infection.

Will ISPs succeed in notifying their users about Coreflood infections? Will users be able to clean their computers effectively? The success — or failure — of this initiative should reveal a lot about the effectiveness of holistic approaches like this one.