Coreflood botnet shutdown raises concerns about government tactics

Last week's Coreflood botnet shutdown looks to be have been successful, but the case raises some interesting questions about how the fight against computer crime will be handled in the future.

Coreflood was a large botnet that had infected over two million PCs around the world. The code to control it has been around for nearly a decade, and some estimates suggest that it was responsible for up to a third of spam at one point.

Coreflood was a good target for shutdown, but the way that the FBI and Department of Justice acted was unusual.

After identifying the botnet's command-and-control (C&C) servers, federal agents replaced them with their own systems. These waited for infected machines to register with the servers, and then sent out a message to the malware telling it to shut down.

Noa Bar-Yosef, senior security strategist at Imperva, told V3.co.uk that the researchers/federal agents had approached the task in an interesting way.

"The alternative C&C server is going to log all IPs interacting with it. With these lists in hand they're planning to work with ISPs so that the ISPs can inform their customers that they are infected," he said.

The tactics differ sharply from those used in the Rustock botnet shutdown last month. The C&C servers were simply replaced with blank drives, with the help of federal agents, and the malware servers taken away for analysis. Such a technique is non-intrusive, in comparison to government tactics.

The Electronic Frontier Foundation (EFF) and others have reportedly objected to the tactics, since they set a legal precedent.

If the principle of allowing an official agency to use malware to download code onto infected systems becomes accepted, IT managers and individuals face difficult times ahead.