Tuesday, April 26, 2011

FBI Take-down of Coreflood Bot-net

The week before last the FBI announced that they had taken down the Coreflood bot-net of perhaps 2 million systems by taking over the command-and-control system.

This was a major event. It demonstrated that we do not simply have to tolerate the existence of hostile networks of compromised systems. It also demonstrated that law enforcement can be effective in the Internet.

Executive Assistant Director of the FBI’s Criminal, Cyber, Response and Services Branch, Shawn Henry. said, “These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure.”Communications.

Although most people were happy to see the Coreflood bot-net go, some have expressed concern about the tactics used in its recent take-down. They are concerned that these may be seen to legitimize behavior that, after decades of debate, have finally been seen to be illegitimate.

Federal prosecutors obtained a temporary restraining order allowing them to replace several identified Coreflood command-and-control (C&C) servers with their own servers, which were then used to send shutdown commands to the Coreflood malware.

One colleague responded by saying "Remote administration without permission is 'hacking.'" I will grant him his semantics without granting him his point.

The first time I said that, and I may well have been the first to do so, I said it in response to the clever child who had created an "anti-virus virus." Of course, the same things are wrong with the idea of an anti-virus virus as with any other virus. First, like any virus, the anti-virus would not have the permission or knowledge of the target system owner.

The real problem is that, independent of the intent or motive of the author, he cannot know enough about the network to predict how his virus will behave. It is difficult enough for him to predict the behavior of his program in a single system that he controls. It is almost impossible to predict its behavior in a population of hundreds of thousands of systems connected in an arbitrary network.

The Electronic Frontier Foundation technology director, Chris Palmer, said the method "is not a safe way to go about [disabling malware] and it's divergent with standard practice."

The "standard practice" that he defends is to simply take down the command-and-control servers, while leaving the bots active. This non-standard practice may not meet Mr.Palmer's test for "safe" but it meets mine for "effective."

We rightly fear the awesome power of government. The preservation of Liberty requires constant vigilance against the abuse of that power. Our colleagues who have questioned this action are right to do so. However, the existence of the question does not imply, nor should we infer, the obvious answer.

Note that in this case, the FBI did not initiate communication with arbitrary systems. It waited until the compromised systems came to it. It did not send a program. It simply sent a command in response to a request. It sent the most conservative command, that is, "shut-down," do nothing.

It is this act which offends my friends, the purists. They are offended, in part, because the executive branch has not been explicitly authorized by the legislature to so act. However, one suspects that if the executive had asked the legislature for this authority, the same, or other, "purists" would have opposed it.

Public Safety, like information security, often involves difficult ethical choices, the lesser of evils. Sometimes it even involves the use of coercion or force. Note that government is the only institution in our society that is empowered to use force.

In this instance the executive did not act unilaterally; the FBI did get a court order. These are not vigilantes. Moreover, if they can be entrusted to use force, they can be entrusted to act in the Internet in ways that are forbidden to the ordinary citizen. That the police do something does not give the citizen license to do the same thing.

I invite my anxious colleagues to rest easy. The Internet is safer and the FBI has not gone rogue.

A final word of caution. One should not infer that all bot-nets can be brought down by the same method. Those networks that use the same collaborative protocols that are used by the file sharing programs (e.g., bitTorrrent) and do not rely on out-of-band command and control will not yield to this method.

Those charged with protecting public safety and those protecting the information infrastructure will continue to be confronted with difficult ethical choices. That is why we are both called professionals and are paid the big bucks.


  1. Agree, although there is a fine line that can be easily crossed, I am all for doing more than documenting the bad things on the Internet. We need to more proactive in disabling botnets like Coreflood. The expense to all of us which enriches the few needs to be stopped. It is way to easy for the hackers to pilfer for long periods of time and accumulate wealth by stealing. While we, the ordinary citizens, pay throug higher fees and costs. I say good for the FBI !

  2. Great analysis! This is a tricky issue for much of the computer security field. Many infosec people have an innate mistrust of government, but at the same time we're engaged in stopping malicious behavior. I'm glad to see you stepping up and defending the FBI's actions here.

  3. I see two legs on which the ethics of this action stand: 1) it is minimally intrusive, since it waits for the compromised systems to send a request, and 2) it is executed by legal authority, sanctioned by a court. It is worthwhile to question how far these legs can be bent and retain ethical dignity. I suspect we will see those limits tested before long.

  4. Kudos to the FBI! I think they handled the case perfectly, they didn't send out any rogue code, they just sat back and waited for the bots to beacon back to C&C and then ordered the bot to shut down.
    The only question that I still have is, did the FBI record all of the infected IP's and sent the owner a letter informing them of an infection and instructions on how to fix the machine to keep it from getting taking over by another herder.

  5. I grant you your point but not your logic. Just because the FBI was correct on this one point doesn't mean that they haven't already gone rogue. Further, just because the botnet is now down doesn't mean the internet is perceptibly safer.

  6. One thing that is important to note - the FBI has to coordinate these 'takedowns' at multiple locations within 10 seconds or so. The legal and physical coordination is probably harder than eradicating the original problem.

  7. It would seem to be like setting a back-fire to prevent the spread of a major fire. The fire fighters do this all the time. As long as the FBI sticks with the methods used in this case, I see no problem.

  8. Some interesting points. One of the things that probably concerns people is whether this is the start of a slippery slope? I think that replacing the command and control servers and just sending a "shutdown" (presumably of the malware, not the PC) is a common sense approach. I know that "common sense" cannot be easily and legally defined.
    What does shutting down a bot do? Probably nothing, but on a few PCs it might mean that the malware's defemces are reduced and so imperfect AV may be able to detect/remove it.
    As pointed out in the article, it is far too risky to do a remote remove. And these days, putting up a message, no matter how you do it, looks like fake AV messages. If you log the machine details and contact the owners, this compromises privacy.
    Probably the only extra thing that could be done would be to give ISPs a list of their users who have the bot installed, and have a program with them for the ISPs to alert and help the users. This may cross the line on privacy, but as the users have signed agreements with the ISPs and the ISPs do traffic monitoring (and capping) they have a mutual interest in removing the bots.
    Although the bots will strat up each time, they will go to the FBI trojan horse server and be told to shut down again. This way the bad guys don't get to reprogram the bots with a different command and control address.

    All in all, in the absence of international law governing this case, I think that the actions are a win for common sense. Remember, we are fighting an asymmetric battle with malware - the bad guys don't respect the law, but the good guys have to.

  9. Yes! - I really like what the other ^ anonymous said on May 26th. This would be a great thing if the ISP's had a program - (somehow -not too invasive - just to let us know we had a problem going on)- I would even be glad (GLAD) to pay the ISP extra for this extra 'service'!!! (I really think that this 'wireless' for everything is causing these problems.