Court order cripples Coreflood botnet, says FBI

26. April 2011
Although the Federal Bureau of Investigation (FBI) said a federal temporary restraining order has crippled the Coreflood botnet in the U.S., Microsoft today took the unusual step of pushing a second version of its monthly malware cleaner to Windows users to again quash the botnet.

Coreflood made the news earlier this month when the U.S. Department of Justice (DOJ) and FBI obtained an unprecedented temporary restraining order that allowed them to seize command-and-control servers that managed the botnet's estimated 2.3 million compromised PCs.

Those servers were replaced by government-controlled systems.

The court order also allowed the DOJ and FBI to issue commands using those replacement servers that disabled, but did not uninstall, Coreflood on infected PCs that asked for new commands.

In an affidavit filed in a Connecticut federal court last Saturday, FBI Special Agent Briana Neumiller said that the server seizure and "kill-switch" instructions issued to the malware have crippled the botnet.

On April 13, the day after the DOJ and FBI seized the Coreflood servers, the government replacements received nearly 800,000 command requests, or "beacons," from Coreflood-infected machines in the U.S. A week later, the number of beacons had plummeted to less than 100,000.