![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
The FBI and the Coreflood Botnet
Apr. 30th, 2011 01:06 amSo the FBI in an amazingly smart move seized the command and control servers (C&C) of the Coreflood botnet network, effectively neutering the network. But that neutralizes, doesn't shut down, the network. Frequently infected machines like this, if they can't see the C&C servers, will look for them elsewhere, so it's possible that they are even now actively seeking new commanders. It's also possible that the FBI was successful in examining the software and either knows where it will be looking or knows that it will not be looking for new commanders.
Some botnet trojans are encrypted, I have no idea if Coreflood is, so it's possible they're in the dark whether or not the infected computers are trying to find new masters.
So the FBI is going to remotely uninstall the trojan from some infected computers. They're only going to do it to computers that they've received authorization from. I would imagine there is some risk that it will blow out the OS on some computers, especially in the probable event that some computers have multiple trojans installed on them. (amusing fact: some trojans, when launched on a PC, would look for other trojans that were already there and destroy them so they'd have the computer's full and undivided attention.
http://it.slashdot.org/story/11/04/27/217221/Feds-To-Remotely-Uninstall-Bot-From-Some-PCs
I think this is a somewhat risky proposition. Personally, I'd prefer to be notified that my computer is compromised and I could take action to clean it or wipe it and reinstall, rather than having the FBI remotely uninstall it. The FBI has sworn that they won't poke around on computers that are being cleaned in this fashion, and they probably are not, but what guarantee do you have of that?
Especially after this....
The Department of Justice conducted an audit "of the FBI's ability to address national security cyberthreats today. The DOJ looked at 10 of the 56 FBI field offices and interviewed 36 agents. Of those interviewed, 13 "lacked the networking and counterintelligence expertise to investigate national security intrusion cases.""
So did the FBI get lucky and the offices/agents involved in the Coreflood takedown did not lack such expertise?
http://www.networkworld.com/news/2011/042711-fbi-cyber-intrusions.html?hpg1=bn
http://yro.slashdot.org/story/11/04/28/036243/Report-Critical-of-FBI-Cybercrime-Fighting-Ability
Some botnet trojans are encrypted, I have no idea if Coreflood is, so it's possible they're in the dark whether or not the infected computers are trying to find new masters.
So the FBI is going to remotely uninstall the trojan from some infected computers. They're only going to do it to computers that they've received authorization from. I would imagine there is some risk that it will blow out the OS on some computers, especially in the probable event that some computers have multiple trojans installed on them. (amusing fact: some trojans, when launched on a PC, would look for other trojans that were already there and destroy them so they'd have the computer's full and undivided attention.
http://it.slashdot.org/story/11/04/27/217221/Feds-To-Remotely-Uninstall-Bot-From-Some-PCs
I think this is a somewhat risky proposition. Personally, I'd prefer to be notified that my computer is compromised and I could take action to clean it or wipe it and reinstall, rather than having the FBI remotely uninstall it. The FBI has sworn that they won't poke around on computers that are being cleaned in this fashion, and they probably are not, but what guarantee do you have of that?
Especially after this....
The Department of Justice conducted an audit "of the FBI's ability to address national security cyberthreats today. The DOJ looked at 10 of the 56 FBI field offices and interviewed 36 agents. Of those interviewed, 13 "lacked the networking and counterintelligence expertise to investigate national security intrusion cases.""
So did the FBI get lucky and the offices/agents involved in the Coreflood takedown did not lack such expertise?
http://www.networkworld.com/news/2011/042711-fbi-cyber-intrusions.html?hpg1=bn
http://yro.slashdot.org/story/11/04/28/036243/Report-Critical-of-FBI-Cybercrime-Fighting-Ability
