DOJ and FBI shut down massive Coreflood botnet

The U.S. Department of Justice and FBI said they disabled a massive, international botnet that snatched user names, passwords and financial information used by criminals to steal money.

The Coreflood botnet is believed to have operated for nearly a decade and to have infected more than two million computers worldwide, they said.

In the action announced Wednesday, federal authorities seized five command-and-control servers and 29 domain names used by the botnet. The government also filed a civil complaint against 13 “John Doe” defendants, alleging wire fraud, bankfraud and illegal interception of electronic communications. In addition, the U.S. obtained a temporary restraining order that authorizes it to replace the C&C servers with substitute servers to prevent further infection to the compromised computers.

“These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure,” Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services branch, said in a prepared statement.

“It appears the cybercriminals behind Coreflood were able to turn the botnet into a money-making machine. It is hard to estimate the actual loot, but the criminals likely made tens of millions of dollars, based on the estimates in the complaint filed by the Department of Justice,” Dave Marcus, McAfee Labs research and communications director, said in an email. “It is not outside of the realm of possibility that they netted more than US$100 million. The attackers were collecting personal information including bank account details over a period of time.”

While the U.S. action completely disables the existing Coreflood botnet, it doesn’t stop criminals from trying to build another botnet using a different version of the Coreflood malware, authorities warned.