FBI Remotely Uninstalled Coreflood Malware from 19,000 Computers

The FBI has remotely uninstalled coreflood botnet clients from a number of 19,000 computers in a first-of-its-kind law enforcement operation.

Coreflood is one of the oldest botnets, dating back to 2002. During its life it infected a total of 2.3 million computers and from March 2009 to February 2010 alone it stole 190 GB of sensitive data including online banking passwords.

Earlier this year, the FBI obtained a court order allowing it to seize five Coreflood command and control servers, as well as 29 domain names used by attackers to communicate with the botnet.

The judge also authorized the bureau to set up a sinkhole server in order to send "stop" commands to all coreflood-infected machines. In addition, the agency also began working with ISPs to identify and notify the owners of the compromised computers.

Following this initial action, the judge extended FBI's authority to also issue remote uninstall commands to machines whose owners agree to the procedure. Unlike the stop commands which only disabled bot clients until reboot, the uninstall command removes them permanently.

Krebs on Security reports that since then the FBI has uninstalled the malware from 19,000 computers. This was revealed in a declaration filed with the court by FBI special agent Kenneth Keller.

The computers belonged to 24 victims, mainly organizations and companies, and no adverse effects were registered. Mr. Keller also said the bureau share information with 25 of the largest ISPs in US in order to help them identify affected customers.

Keller also asked for permission to take the sinkhole server offline, since most of the botnet has been disabled. "The continued operation of the substitute server is consuming considerable law enforcement resources, because the server is being closely monitored to ensure its proper operation," he said.