A crime ring stealing computer information further used in electronic thefts all over the world was shut down in the USA, but may go on in other countries.
A malicious software program (malware) called "Coreflood" infected millions of computers around the world for almost a decade making them controllable remotely by thieves through another computer technically known as a “command and control (C&C) server”. US authorities closed down the ring and generated remote orders to the infected computers of the country to kill the malware, but the scam may continue in other countries, as criminals in Russia are suspected to be behind the affair. The U.S. district attorney in Connecticut lodged a civil complaint against 13 foreigners whose identity and nationality were not disclosed and Justice Department opened an investigation.
Civil rights defenders claim that remote orders initiated by FBI to affected computers to stop sending stolen data and to shut down although effective only sets up a precedent for grave violation of 4th Amendment. Many are not happy that the judge may have authorized the FBI to send remote commands to their computers, without their authorization or at least notification and without the cooperation of the internet service providers. Sending a silent kill signal to infected computers by FBI was rarely noticed and rebooting may have reactivated the malware, so proper cleaning should be performed by everyone. “Coreflood” obliges the computer to periodically contact (“beacon”) the C&C server for instructions thus receiving orders to collect information about the computer and other computers in the local network, record keystrokes, download and execute certain programs on the Internet, update “Coreflood” with more sophisticated versions.
A computer infected with a malware is called a bot (a sort of a software robot) and a group of such bots controlled by one or more related C&C servers forms a network called botnet. The bots can thus be remotely ordered by criminals to send sensitive information to be further used in fraud schemes. An undisclosed number of C&C servers in the USA were identified but such servers may exist in other countries too.
To understand the scheme, imagine that Russian criminals can remotely access from their homes a C&C server in the USA and take control of an infected computer anywhere in the world. Computers are enslaved through the “Coreflood” malware and ordered to send to the criminals all information stored, including internet communication and all you typed from your keyboard – user’s account names, passwords, bank accounts, pin codes and other sensitive data. Criminals were so deceitful that they could take over the online banking sessions after the user logged in and to direct counterfeit wire transfers in fiscal paradises.
Although the exact size of the botnet cannot be known, as the number of computers infected permanently changed with additions of newly affected ones while others were disinfected and sometimes re-infected again, a survey from March 2009 till January 2010 shows that only one server collected 190 GB of data from 413,719 computers connected at Internet. If printed, the information would have filled 1.5 billion pages - a pile of about 90 miles high (almost 145 km).
"Coreflood" botnet was controlled through C&C servers with assigned IP addresses, but infected computers did not refer directly to these servers by IP addresses but by domain names like jane.unreadmsg.net or vaccina.medinnovaion.org that changed every month. Criminals used stolen or fictious identities to register the “Coreflood” domains. On April 12 all “Coreflood” C&C servers and domains were seized breaking the criminal’s hold on infected computers, practically eliminating their command and control abilities with FBI taking control of its means of communication. Many unsuspecting computer users remain under a huge potential risk, as their computers still run the malware and their computers gather sensible information and beacon regularly to C&C servers that no-longer exist. The same criminals or possibly others may try to regain control of those computers and continue theft. FBI replaced the seized servers with substitutes run under their supervision and all infected computers in the USA beaconing for instructions were ordered to stop using “Coreflood”.
This is the first case in the United States when FBI seized criminal servers and replaced them with government servers able to intercept communications between infected systems and C&C servers. Last year Dutch authorities used this method dismantle the Bredolab botnet remotely installing and executing a program on infected computers to notify users that their systems were infected.
Working on a computer connected at Internet is more dangerous than working in the middle of Times Square where only a limited number of folks can look over your shoulder. Over the Internet anyone may see what you are doing. My advice: computers are not so expensive today. Keep one only for work on the Internet. For the rest of your job, stay off line as much as possible. The big ones are next doors (BIG BROTHER, BIG BAD WOLF a.s.o.):)
ReplyDelete