Friendly takeover: FBI controls bot PCs
On Tuesday evening, the FBI shut down the Coreflood botnet but also took a step that will probably cause a lot of discussion among security experts. The US authorities are temporarily accessing victims' computers to remove the contaminant from the systems. If a computer infected with the bot tries to contact a command-and-control server, it lands on a server controlled by the FBI, which sends out a kill command. The malicious software is then disabled until the system reboots.
Investigators often take command-and-control servers off the web, and security experts have repeatedly had control of entire botnets. But going into infected computers is considered taboo, even if you only want to remove malicious software – partly because such actions could cause considerable damage. If the uninstallation doesn't work, victims (who may not have even known they were infected) may not be able to reboot their systems, and important data could be lost. The FBI plans to prevent such damage by comprehensively analysing the contamination in advance.
The legal situation is also unclear. A similar case caused a commotion last October when Dutch authorities pulled the plug on the Bredolab botnet. The Dutch used the botnet's structure to place a file on infected computers to take victims to a website displaying a warning and tips on how to remove the contaminant.
Wired.com says that the Coreflood botnet taken over by the FBI had been in operation for almost ten years and infected more than two million computers over the years, most of which were in the US. Recently, the pest was mainly after its victims' access data, such as online banking credentials, and the damage was considerable in some cases. For instance, the FBI says that an armament manufacturer from Tennessee lost nearly $250,000.