Coreflood and Communication Controls

By
Editor
Published: April 15, 2011Tags: , , , ,

Coreflood and Communication Controls

This week, the U.S. Department of Justice and the FBI took action to disable the “Coreflood” botnet. In an unprecedented move, a federal judge granted permission to authorities to seize control of the botnet, which compromised private computers with malicious software that captured private online banking information from users. The Internet Systems Consortium, a non-profit organization, was given permission to takeover the botnet’s command-and-control servers — used to communicate with infected private computers — and replace the servers with its own. These servers would respond to command and control requests from infected computers, and send a “stop” command to infected machines, effectively interrupting the botnet by stopping the malware from running on private computers. According to this Wired article, Coreflood is designed to run whenever an infected computer is rebooted. The replaced servers are required to send the “stop” command after every reboot, until the malware is removed from the victim’s computer. A similar method was used by Dutch authorities in 2010 to takedown the Bredolab botnet.

Botnets have become a popular tool in the underground economy of cyber crime. By exploiting personal computers infected with malware—effectively turning these computers into “zombie computers” controlled by a botmaster—the underground economy has indeed become a lucrative one. According to this US request filing, Coreflood victims included private companies such as a North Carolina investment firm and a Tennessee defence contractor which lost USD 151,201 and USD 241,886 respectively. In late 2010, Nart Villeneuve and the Information Warfare Monitor released Koobface: Inside a Crimeware Network, a report on the Koobface botnet, detailing its propagation strategies, counter-security measures, and business model. Villeneuve found that over the course of one year, through the use of pay-per-click and pay-per-install affiliate programs and forcing compromised computers to install malicious software and engage in click fraud, Koobface operators were able to earn over USD 2 million.

The Globe and Mail notes that, “the Corefood investigation was aided immensely by a geographic fluke – the fact that many of the perpetrators and victims resided within a single jurisdiction, the United States”. Indeed, Villeneuve explains, botnet operators are able to benefit from the fact that their criminal acts spread across multiple jurisdictions—the issue of multiple jurisdictions often complicate investigations and hinder law enforcement and takedown efforts. In the case of Coreflood, US authorities were able to successfully takeover the botnet because its servers were located within US jurisdiction—in Georgia, Texas, Ohio, California, and Arizona. For the official documents see here for the Justice Department’s press release, here for the complaint, here for the seizure warrant, and here for the Coreflood temporary restraining order.

Users have expressed discomfort with the government performing actions against their computers. In this Wired article, the EFF commented, “Even if we could absolutely be sure that all of the infected Coreflood botnet machines were running the exact code that we reverse-engineered and convinced ourselves that we understood this would still be an extremely sketchy action to take. It’s other people’s computers and you don’t know what’s going to happen for sure. You might blow up some important machine.”

While underground crime represents one aspect of the economics of cyberspace, the global economy of cyber controls represents another. A few weeks ago, we reported on the release of the the OpenNet Initiative’s West Censoring East: The Use of Western Technologies by Middle East Censors, 2010-2011, a report that details the complicity of Western companies (Websense, Netsweeper, Intel) in the online censorship of over 20 million citizens in nine countries in the Middle East and North Africa. The complicity of Western companies in filtering has placed a major spotlight on the actions of private actors in cyberspace. While some companies such as Google have pulled out from territories requesting its compliance in censorship others such as RIM has decided to adjust its policies to appease governments. This week, RIM’s Mike Lazaridis walked out on a BBC Interview when asked whether “security issues” in India and the Middle East had been “sorted out”—referring to the security implications for users in territories where governments have threatened to ban the service if the company failed to comply with its requests for access to encrypted communications. Yesterday, it was reported that the UAE government had asked telecom companies Etisalat and Du, to restrict access of a new and more secure version of Blackberry’s service to only “qualifying organizations”—not private individuals.

While restrictive cyberspace controls are often thought of as a characteristic of authoritarian governments this week Canadians were informed about a plan from their government to enact greater control over their communications.

In Canada, the Conservative government included a commitment in their election platform to pass a bundled “crime and justice” bill that includes lawful access legislation through Parliament within 100 days if re-elected. Michael Geist has a timely analysis of this issue in this blog. This bill will, as Geist states, “fundamentally reshape the Internet in Canada,” as it establishes a three pronged approach to deal with lawful access, focusing on information disclosure, mandated surveillance technologies, and new policing powers. This bill will effectively establish Internet surveillance requirements as well as create the conditions for potential disclosure of personal information (IP address, device identification numbers, address, phone number, etc) without oversight from the courts. It will require ISPs to develop technical surveillance capabilities in order to isolate communications and engage in interception. Police will also be given new powers to access surveillance data. Cyber crime is a serious issue that requires focused attention. However, the possible impact of these proposals on user privacy in Canada is a cause for concern.