A US Federal Court judge granted the Justice Department (DOJ) a temporary restraining order (TRO) and with it, the rights to seize domain names of the Coreflood botnet. The TRO also granted rights to seize the command and control (C&C) servers and replace these with sanctioned servers. The sanctioned servers, operated on behalf of the DOJ by the Internet Systems Consortium (ISC), emulated Coreflood's C&C communications with the Coreflood bots (infected computers) and sent instructions to the bots to go idle (stop).
Wired provides a summary of the post-restraining order activities of the DOJ, ISC, et. al. Gary Warner's CyberCrime & Doing Time provides a more technical breakdown. Gary's column discusses how the Coreflood temporary restraining order expands on prior court rulings that granted the use of sinkholes to allow ISC's sinkhole to impersonate the C&C (irony here) and direct the bots to shut down.
This is certainly a compelling element of the TRO, but techies and in particular, anyone who is interested in anticrime activities may also want to take note of some of the language in the complaint itself.
It's worth noting that the DOJ calls attention to the misuse of these services (Abuse 1, Abuse 2). Goverments and law enforcement agencies have recommended changes to ICANN's current policies regarding privacy protection services to mitigate these abuses (RAA1, RAA2, RAA3).
Paragraph 1 of the complaint asserts that this is a civil action, not a criminal action (Action 1, Action 2). A branch of the US government is bringing a civil suit to federal court claiming that the defendants have violated federal statutes. In this case, the Defendants are accused of distributing and using malware to commit "wire fraud, bank fraud, and unauthorized interception of electronic communications". This is a civil action intended to remedy harm from alleged criminal acts, not a criminal indictment for the alleged criminal acts.
"Law Tech" Description of Coreflood
Paragraphs 2 -7 and 15-23 of the complaint provide a low tech description of Coreflood including a brief overview of what a botnet is and how bots are controlled by C&Cs. The attorney who prepared the complaint effectively explains how IP addresses were used to initially identify the C&Cs, how these addresses were used to obtain the domain names, how the infected computers used these domain names to contact the C&Cs and, how registration (Whois) information was used to identify the John Doe Defendants.
Paragraphs 8 and 10 establish jurisdiction. The complaint identfies the Defendants as foreign nationals" but cites Title 18, United States Code, Section 1345(a)(1), Injunctions Against Fraud and Title 28, United States Code, Sections 1331 & 1345, diversity of citizenship instances in civil actions to hold the defendants subject to the US Federal Court jurisdiction on the basis that the defendants used infected computers located in the United States to perpetrate fraud. In this case, the jurisdiction was determined to lie where the acts were committed, not where the perpetrators were at the time they were committed. (I'm told by a colleague that the legal nexus of the crime can be in either place and that it is sometimes contested but here the jurisdiction is US and the nexus is Connecticut since at least one victim does business there.)
Schemes to Defraud
Paragraphs 24-32 list the counts of the complaint. The wire fraud count is based on the defendants having devised a scheme to defraud and consequently used the Internet to transmit "writings, signs, and signals for the purpose of executing such scheme.. in interstate and foreign commerce". A count of bank fraud follows: "Defendants did knowingly execute a scheme and artifice to defraud a financial institution." A third count, unauthorized interception of electronic communications, covers keylogging, traffic capture and other information gathering that C&C's could instruct bots to perform.
Temporary Restraining Order
The complaint requests a TRO for each count and then asks the court to issue the following against the "Defendants and all those receiving notice thereof, including the Domain Service Providers":
1. A temporary restraining order and preliminary injunction that prohibits the Defendants (a) from using Coreflood to engage in wire fraud, bank fraud, or unauthorized interception of electronic communications, and (b) from running Coreflood on any computers not owned by the Defendants, by authorizing the operation of a substitute command and control server to give effect to the Court's orders;
2. A permanent injunction that requires the Defendants to uninstall Coreflood on any computers not owned by the Defendants and authorizes the operation of a substitute command and control server to give effect to the Court's orders; and
3. Such other relief as the Court deems just and proper.
This is noteworthy because it asks the Court to grant a broad remit in order to remedy the acts, including remote control of infected computers.
What Does the Future Hold?
The seizure and substitutions have played out; however, consider how the action may influence future takedowns. The action calls attention to inaccurate Whois and misuse of privacy protection services in a very public way. This may affect policy changes to Whois and domain registration services. It grants permission to issue commands to software running on millions of personal and business computers and instructs the Defendants to uninstall software associated with the fraud. This is beneficial in the case of Coreflood, but the grant raises questions as well. Under what circumstances should governments instruct software on privately owned or business computer systems? What if the instructions don't produce the desired result? What if the instructions cause harm? How has the government reconciled its apparent actions here with the commission of crimes described in Title 18, United States Code, Section 1030 (a) (2): “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— (C) information from any protected computer"?
For me, the most intruiging issue is "What will malware writers and scammers do to counter this measure?"