The U.S. Department of Justice and FBI have disabled Coreflood, a decade-old botnet that's infected more than 2 million private computers, by seizing and replacing five command and control servers and 29 domain names used by the botnet, the Department of Justice said in an April 13 press release.

Coreflood has compromised numerous victims' bank accounts by stealing their user names, passwords and other personal financial information, the government said. The malware is designed to record keystrokes and control a victim's computer remotely via one of its command and control servers.

Targeted accounts include payment cards serviced by credit unions, Dell SecureWorks Director of Threat Intelligence Don Jackson said. He added that Coreflood operators also reached some CUs by infecting the machines of companies and organizations they were chartered to serve.

The U.S. Attorney's Office for the District of Connecticut filed a civil complaint dated April 11 against 13 “John Doe” defendants alleging that they had committed “wire fraud, bank fraud and illegal interception of electronic communications” and obtained a temporary restraining order to seize Coreflood, the statement read.

The temporary restraining order, which the FBI New Haven Field Office posted on its website, allows U.S. authorities to send each infected computer a command that will shut off the malware's operations. It also gave officials permission to set up a replacement server at Internet hosting provider Internet Systems Consortium from which they could execute the stop commands.

The first-of-its-kind government move follows a major bust of account-raiding cyber thieves last fall in New York, who were arrested for using Zeus Trojan malware to steal at least $3 million from bank accounts.

“The actions announced today are part of a comprehensive effort by the department to disable an international botnet, while at the same time giving consumers the ability to take necessary steps to protect themselves from this harmful malware,” Assistant Attorney General Lanny A. Breuer of the Criminal Division said in the statement.

The government promised that the Coreflood intervention would not compromise infected computer users' private information, stating, “At no time will law enforcement authorities access any information that may be stored on an affected computer.”

Officials also said it would give users the option to opt out of the temporary restraining order should they wish for some reason to continue running Coreflood on their computers.

Jackson said many experts agree the government takedown was successful and well thought-out, and that it set an example for a promising new response model.

“All options regarding the interaction with infected computers were carefully analyzed for possible unintended consequences, and sound decisions were made to protect the owners and users at all cost,” Jackson said. “Evidence suggests that the same inscrutable attention to detail was given to legal and political issues as well, not just the technical ones.”

He explained that Coreflood operators affected credit unions by stealing data from companies and organizations with a large number of employees belonging to the same credit union.

“Let's say a credit union is chartered to serve telephone company employees and the office network inside the telephone company headquarters–staffed by 5,000 credit union members–is infected by Coreflood,” Jackson gave as an example. “That credit union is likely to be disproportionately affected by related fraud.”

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.

Natasha Chilingerian

Natasha Chilingerian has been immersed in the credit union industry for over a decade. She first joined CU Times in 2011 as a freelance writer, and following a two-year hiatus from 2013-2015, during which time she served as a communications specialist for Xceed Financial Credit Union (now Kinecta Federal Credit Union), she re-joined the CU Times team full-time as managing editor. She was promoted to executive editor in 2019. In the earlier days of her career, Chilingerian focused on news and lifestyle journalism, serving as a writer and editor for numerous regional publications in Oregon, Louisiana, South Carolina and the San Francisco Bay Area. In addition, she holds experience in marketing copywriting for companies in the finance and technology space. At CU Times, she covers People and Community news, cybersecurity, fintech partnerships, marketing, workplace culture, leadership, DEI, branch strategies, digital banking and more. She currently works remotely and splits her time between Southern California and Portland, Ore.