FBI and DoJ action cuts Coreflood botnet activity by 90 per cent

Court documents released by the FBI and the US Department of Justice (DoJ) show that activity on the Coreflood botnet is down by 90 per cent in the US following last month's shutdown.

Five command-and-control servers in the US were seized by law enforcement in a co-ordinated action, and replaced with new systems which ordered infected PCs to shut down the malware they were running.

At the same time, Estonian police took similar action with servers based within their borders.

The newly released DoJ court documents (PDF) state that the servers were receiving around 800,000 messages a day from infected computers when they were seized on 13 April. Nine days later this had dropped to under 100,000, and the number is still falling steadily.

Coreflood activity is down 90 per cent in the US, and 75 per cent in the rest of the world, which law enforcement attributes to the botnet's being unable to contact people outside the US or command-and-control servers overseas.

"The reduction in the size of the Coreflood botnet was attributed to two factors. First, because Coreflood was no longer running, it was no longer able to update itself and avoid detection by anti-virus software," said the DoJ.

"Second, the FBI, with the assistance of internet service providers, has made significant efforts to identify and notify the victims of Coreflood, who in turn have taken measures to remove Coreflood from thousands of infected computers."

Those infected with the malware are being notified and instructed on how to clean their systems, the DoJ said. In one case a hospital network had around 2,000 of its 14,000 computers infected.

However, the DoJ also said that it will soon reconfigure the command-and-control servers to delete the malware automatically, so long as the owner of the system has given permission.

"The government respectfully advises the court that the substitute server, or another similar server, will be configured to respond to command-and-control requests from infected computers by issuing instructions for Coreflood to uninstall itself, but only as to infected computers of identifiable victims who have provided written consent to do so," the filing reads.