« Epsilon Aftermath: How to get ahead of spear phishing | Main | Lessons learned from Amazon/AWS outage »

Thursday, 14 April 2011

Coreflood: A techie tour of the Complaint

A US Federal Court judge granted the Justice Department (DOJ) a temporary restraining order (TRO) and with it, the rights to seize  domain names of the Coreflood botnet. The TRO also granted rights to seize the command and control (C&C) servers and replace these with sanctioned servers. The sanctioned servers, operated on behalf of the DOJ by the Internet Systems Consortium (ISC), emulated Coreflood's C&C communications with the Coreflood bots (infected computers) and sent instructions to the bots to go idle (stop).

Wired provides a summary of the post-restraining order activities of the DOJ, ISC, et. al. Gary Warner's CyberCrime & Doing Time provides a more technical breakdown. Gary's column discusses how the Coreflood temporary restraining order  expands on prior court rulings that granted the use of sinkholes to allow ISC's sinkhole to impersonate the C&C (irony here) and direct the bots to shut down.

This is certainly a compelling element of the TRO, but techies and in particular, anyone who is interested in anticrime activities may also want to take note of some of the language in the complaint itself.

Coreflood: the Defendants

The complaint lists only John Does, but explains later  (Paragraphs 7, 20) that the Defendants are only known as the registrants of a set of domain names and that the Defendants "registered the Coreflood Domains using stolen or fictitious identities, or using services that shield the name of the nominal registrant from public view. On information and belief, the Defendants are located outside the United States."

The services this clause describe as "shielding" the Defendant's names are known as privacy protection services. 

 Defendants

It's worth noting that the DOJ calls attention to the misuse of these services (Abuse 1, Abuse 2). Goverments and law enforcement agencies have recommended changes to ICANN's current policies regarding privacy protection services to mitigate these abuses (RAA1, RAA2, RAA3). 

Civil Action

Paragraph 1 of the complaint asserts that this is a civil action, not a criminal action (Action 1, Action 2). A branch of the US government is bringing a civil suit to federal court claiming that the defendants have violated federal statutes. In this case, the Defendants  are accused of distributing and using malware to commit "wire fraud, bank fraud, and unauthorized interception of electronic communications". This is a civil action intended to remedy harm from alleged criminal acts, not a criminal indictment for the alleged criminal acts.

"Law Tech" Description of Coreflood

Paragraphs 2 -7 and 15-23 of the complaint provide a low tech description of Coreflood including a brief overview of what a botnet is and how bots are controlled by C&Cs. The attorney who prepared the complaint effectively explains how IP addresses were used to initially identify the C&Cs, how these addresses were used to obtain the domain names, how  the infected computers used these domain names to contact the C&Cs and, how registration (Whois) information was used to identify the John Doe Defendants.

Paragraph 22 is particularly important. It describes a behavior of the Coreflood trojan that runs on infected computers that supports the substitution of sanctioned servers in place of the Coreflood servers and justifies allowing the ISC-controlled servers to send "stop" commands to the bots  (read Gary Warner's column).

 Corefloodreboot

Jurisdiction

Paragraphs 8 and 10 establish jurisdiction. The complaint identfies the Defendants as foreign nationals" but cites Title 18, United States Code, Section 1345(a)(1), Injunctions Against Fraud and Title 28, United States Code, Sections 1331 & 1345, diversity of citizenship instances in civil actions to hold the defendants subject to the US Federal Court jurisdiction on the basis that the defendants used infected computers located in the United States to perpetrate fraud. In this case, the jurisdiction was determined to lie where the acts were committed, not where the perpetrators were at the time they were committed. (I'm told by a colleague that the legal nexus of the crime can be in either place and that it is sometimes contested but here the jurisdiction is US and the nexus is Connecticut since at least one victim does business there.)

Schemes to Defraud


Paragraphs 10 through 14 describe the schemes to defraud. The attorneys step through the elements of the fraud, identify the victims and the harms inflicted.

Sadly, the Assistant US Attorney couldn't resist playing the "threat to national security" card when he explained what a botnet is.

While the attorneys cited a small number of tangible loss cases, they also cite ongoing harm to the owners of the infected computers. It's heartening to see this argument used to support a civil action.

 Lossandharm

Paragraphs 24-32 list the counts of the complaint. The wire fraud count is based on the defendants having devised a scheme to defraud and consequently used the Internet to transmit "writings, signs, and signals for the purpose of executing such scheme.. in interstate and foreign commerce". A count of bank fraud follows: "Defendants did knowingly execute a scheme and artifice to defraud a financial institution." A third count, unauthorized interception of electronic communications, covers keylogging, traffic capture and other information gathering that C&C's could instruct bots to perform.

Temporary Restraining Order

The complaint requests a TRO for each count and then asks the court to issue the following against the "Defendants and all those receiving notice thereof, including the Domain Service Providers":

1. A temporary restraining order and preliminary injunction that prohibits the Defendants (a) from using Coreflood to engage in wire fraud, bank fraud, or unauthorized interception of electronic communications, and (b) from running Coreflood on any computers not owned by the Defendants, by authorizing the operation of a substitute command and control server to give effect to the Court's orders;
2. A permanent injunction that requires the Defendants to uninstall Coreflood on any computers not owned by the Defendants and authorizes the operation of a substitute command and control server to give effect to the Court's orders; and
3. Such other relief as the Court deems just and proper.

This is noteworthy because it asks the Court to grant a broad remit in order to remedy the acts, including remote control of infected computers.

What Does the Future Hold?

The seizure and substitutions have played out; however,  consider how the action may influence future takedowns. The action calls attention to inaccurate Whois and misuse of privacy protection services in a very public way. This may affect policy changes to Whois and domain registration services. It grants permission to issue commands to software running on millions of personal and business computers and instructs the Defendants to uninstall software associated with the fraud. This is beneficial in the case of Coreflood, but the grant raises questions as well. Under what circumstances should governments instruct software on privately owned or business computer systems? What if the instructions don't produce the desired result? What if the instructions cause harm? How has the government reconciled its apparent actions here with the commission of crimes described in Title 18, United States Code, Section 1030 (a) (2): “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— (C) information from any protected computer"?

For me, the most intruiging issue is "What will malware writers and scammers do to counter this measure?"

Posted at 02:37 PM in Malware |

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.

Find me on Mastodon and Facebook

Spotlight Posts

  • FTC's proposed Trade Regulation Rule on Impersonation of Government and Businesses is important for #infosec
    M3AAWG comments on the FTC's proposed rule Trade Regulation Rule on Impersonation of Government and Businesses is available. I was one of the contributors to the comment. In the comment, M3AAWG "suggests additional regulatory solutions and best practices to complement the goals of this rule, such as clarifying the scope of the rule to include the use of domain names in impersonation schemes and the use of technologies that enable impersonation" and the important role that Whois plays in investigating impersonation and fraud. Several reports that my Interisle colleagues and I published are cited in the comment, along with the...
  • Cybercrime Information Center reports sharp increases in phishing attacks, unique domains reported in August-October 2022 time period
    A recent ebb in domain names reported for phishing created some euphoria in the domain industry. With phishing activity, as with tides, ebbs are invariably followed by flows. In their August- October 2022 Quarterly Phishing Activity, the Cybercrime Information Center observed a 40% increase in phishing attacks and a nearly 20% increase in unique domain names reported for phishing.
  • Cybercrime Information Center's YouTube Channel
    My colleagues and I at Interisle have created a YouTube channel to complement the quarterly reporting and studies of cybercrime we host at the Cybercrime Information Center. Our goal is to share, in a few minutes, the findings and insights from our research in a format that's easily accessible and shareable, informative, and entertaining. The inaugural videos provide 2-5 minute summaries of our annual Phishing and Malware Landscape studies. We'll continue to produce videos of our annual studies. If you like what you see, leave us a comment.
  • Malware Landscape 2022: unabated malware growth, continued exploitation of IoT devices
    My colleagues at Interisle and I have published a study, Malware Landscape 2022: A Study of the Scope and Distribution of Malware. The study, which analyzed 2.5 million records of distinct malware events from May 2021 to April 2022 collected by the Cybercrime Information Center, explains what malware was most prevalent, where malware was served from, and what resources criminals used to pursue their attacks.
  • New TLDs are coming #Dangerclose.
    A Domain Name Wire post, Time to pay attention to the next round of new TLDs, begins with an ominous: They’re coming. Eventually. While not as dramatic or enduring as Arnold Schwarzenegger's "I'll be back", the reporter cites policy activity at ICANN as evidence that new TLDs are coming. Eventually. In a September 2019 post, and in response to the ICANN memorandum, Readiness to Support Future Rounds of New gTLDs, I asked, Has enough been done to study and rectify the concentration of security threats in the new TLD space? In that post, I quoted correspondence from ICANN's security advisory...

Search

My Photo

Categories