Hijacking the Coreflood Botnet
Earlier this month, the FBI seized control of the Coreflood botnet and shut it down:
According to the filing, ISC, under law enforcement supervision, planned to replace the servers with servers that it controlled, then collect the IP addresses of all infected machines communicating with the criminal servers, and send a remote “stop” command to infected machines to disable the Coreflood malware operating on them.
This is a big deal; it’s the first time the FBI has done something like this. My guess is that we’re going to see a lot more of this sort of thing in the future; it’s the obvious solution for botnets.
Not that the approach is without risks:
“Even if we could absolutely be sure that all of the infected Coreflood botnet machines were running the exact code that we reverse-engineered and convinced ourselves that we understood,” said Chris Palmer, technology director for the Electronic Frontier Foundation, “this would still be an extremely sketchy action to take. It’s other people’s computers and you don’t know what’s going to happen for sure. You might blow up some important machine.”
I just don’t see this argument convincing very many people. Leaving Coreflood in place could blow up some important machine. And leaving Coreflood in place not only puts the infected computers at risk; it puts the whole Internet at risk. Minimizing the collateral damage is important, but this feels like a place where the interest of the Internet as a whole trumps the interest of those affected by shutting down Coreflood.
The problem as I see it is the slippery slope. Because next, the RIAA is going to want to remotely disable computers they feel are engaged in illegal file sharing. And the FBI is going to want to remotely disable computers they feel are encouraging terrorism. And so on. It’s important to have serious legal controls on this counterattack sort of defense.
Mike B • May 2, 2011 7:05 AM
I think there is a big difference between disabling a computer using the rogue command and control channel that is already on the box and hacking into the machine to install your own malware. In the case of a botnet every zombie box is capable of taking orders from a criminal enterprise. The FBI used this existing channel to shut down the enterprise. It’s a pretty large leap to go from that to using Government sponsored zero day attacks to take control of arbitrary machines at the behest of the RIAA. For one such machines don’t have centralized C&C so attempting to carry out such a plan would be impractical.