Coreflood botnet shutdown raises concerns about government tactics

Last week's Coreflood botnet shutdown looks to be have been successful, but the case raises some interesting questions about how the fight against computer crime will be handled in the future.

Coreflood was a large botnet that had infected over two million PCs around the world. The code to control it has been around for nearly a decade, and some estimates suggest that it was responsible for up to a third of spam at one point.

Coreflood was a good target for shutdown, but the way that the FBI and Department of Justice acted was unusual.

After identifying the botnet's command-and-control (C&C) servers, federal agents replaced them with their own systems. These waited for infected machines to register with the servers, and then sent out a message to the malware telling it to shut down.

Noa Bar-Yosef, senior security strategist at Imperva, told V3.co.uk that the researchers/federal agents had approached the task in an interesting way.

"The alternative C&C server is going to log all IPs interacting with it. With these lists in hand they're planning to work with ISPs so that the ISPs can inform their customers that they are infected," he said.

The tactics differ sharply from those used in the Rustock botnet shutdown last month. The C&C servers were simply replaced with blank drives, with the help of federal agents, and the malware servers taken away for analysis. Such a technique is non-intrusive, in comparison to government tactics.

The Electronic Frontier Foundation (EFF) and others have reportedly objected to the tactics, since they set a legal precedent.

If the principle of allowing an official agency to use malware to download code onto infected systems becomes accepted, IT managers and individuals face difficult times ahead.

From an enterprise perspective, administrators face a severe additional problem to malware infection. Getting a system infected is bad enough, but having software installed by investigators, which may or may not cause conflicts with corporate systems, is a huge headache from an administration and compliance perspective.

Looking further ahead, there is a problem with 'mission-creep', as certain military types call it. If this is allowed for botnet shutdowns, then what next? Will copyright infringement be combated by feeding obviously pirated content which contains identification software?

Such systems are not beyond the realms of possibility; the Sony rootkit fiasco showed that there are many people who would love to set such systems in place.

Sony's little excursion into the area showed that there are many who would like to involve a whole range of software techniques to investigate alleged wrongdoing.

If a pirated file allows the copyright owner to scan the machine involved, a whole legal minefield is opened up for administrators. Having third-party software scan your network is bad enough. But if blocking such code is seen as aiding and abetting crime, IT managers face difficult questions.

The shutdown of the Coreflood network is no bad thing, but it raises all sorts of worrying possibilities. IT managers need to be on their guard and talk to legal departments to formulate policies that don't leave their employers exposed.