Epsilon Aftermath: How to get ahead of spear phishing
Lessons learned from Amazon/AWS outage

Coreflood: A techie tour of the Complaint

A US Federal Court judge granted the Justice Department (DOJ) a temporary restraining order (TRO) and with it, the rights to seize  domain names of the Coreflood botnet. The TRO also granted rights to seize the command and control (C&C) servers and replace these with sanctioned servers. The sanctioned servers, operated on behalf of the DOJ by the Internet Systems Consortium (ISC), emulated Coreflood's C&C communications with the Coreflood bots (infected computers) and sent instructions to the bots to go idle (stop).

Wired provides a summary of the post-restraining order activities of the DOJ, ISC, et. al. Gary Warner's CyberCrime & Doing Time provides a more technical breakdown. Gary's column discusses how the Coreflood temporary restraining order  expands on prior court rulings that granted the use of sinkholes to allow ISC's sinkhole to impersonate the C&C (irony here) and direct the bots to shut down.

This is certainly a compelling element of the TRO, but techies and in particular, anyone who is interested in anticrime activities may also want to take note of some of the language in the complaint itself.

Coreflood: the Defendants

The complaint lists only John Does, but explains later  (Paragraphs 7, 20) that the Defendants are only known as the registrants of a set of domain names and that the Defendants "registered the Coreflood Domains using stolen or fictitious identities, or using services that shield the name of the nominal registrant from public view. On information and belief, the Defendants are located outside the United States."

The services this clause describe as "shielding" the Defendant's names are known as privacy protection services. 


It's worth noting that the DOJ calls attention to the misuse of these services (Abuse 1, Abuse 2). Goverments and law enforcement agencies have recommended changes to ICANN's current policies regarding privacy protection services to mitigate these abuses (RAA1, RAA2, RAA3). 

Civil Action

Paragraph 1 of the complaint asserts that this is a civil action, not a criminal action (Action 1, Action 2). A branch of the US government is bringing a civil suit to federal court claiming that the defendants have violated federal statutes. In this case, the Defendants  are accused of distributing and using malware to commit "wire fraud, bank fraud, and unauthorized interception of electronic communications". This is a civil action intended to remedy harm from alleged criminal acts, not a criminal indictment for the alleged criminal acts.

"Law Tech" Description of Coreflood

Paragraphs 2 -7 and 15-23 of the complaint provide a low tech description of Coreflood including a brief overview of what a botnet is and how bots are controlled by C&Cs. The attorney who prepared the complaint effectively explains how IP addresses were used to initially identify the C&Cs, how these addresses were used to obtain the domain names, how  the infected computers used these domain names to contact the C&Cs and, how registration (Whois) information was used to identify the John Doe Defendants.

Paragraph 22 is particularly important. It describes a behavior of the Coreflood trojan that runs on infected computers that supports the substitution of sanctioned servers in place of the Coreflood servers and justifies allowing the ISC-controlled servers to send "stop" commands to the bots  (read Gary Warner's column).



Paragraphs 8 and 10 establish jurisdiction. The complaint identfies the Defendants as foreign nationals" but cites Title 18, United States Code, Section 1345(a)(1), Injunctions Against Fraud and Title 28, United States Code, Sections 1331 & 1345, diversity of citizenship instances in civil actions to hold the defendants subject to the US Federal Court jurisdiction on the basis that the defendants used infected computers located in the United States to perpetrate fraud. In this case, the jurisdiction was determined to lie where the acts were committed, not where the perpetrators were at the time they were committed. (I'm told by a colleague that the legal nexus of the crime can be in either place and that it is sometimes contested but here the jurisdiction is US and the nexus is Connecticut since at least one victim does business there.)

Schemes to Defraud

Paragraphs 10 through 14 describe the schemes to defraud. The attorneys step through the elements of the fraud, identify the victims and the harms inflicted.

Sadly, the Assistant US Attorney couldn't resist playing the "threat to national security" card when he explained what a botnet is.

While the attorneys cited a small number of tangible loss cases, they also cite ongoing harm to the owners of the infected computers. It's heartening to see this argument used to support a civil action.


Paragraphs 24-32 list the counts of the complaint. The wire fraud count is based on the defendants having devised a scheme to defraud and consequently used the Internet to transmit "writings, signs, and signals for the purpose of executing such scheme.. in interstate and foreign commerce". A count of bank fraud follows: "Defendants did knowingly execute a scheme and artifice to defraud a financial institution." A third count, unauthorized interception of electronic communications, covers keylogging, traffic capture and other information gathering that C&C's could instruct bots to perform.

Temporary Restraining Order

The complaint requests a TRO for each count and then asks the court to issue the following against the "Defendants and all those receiving notice thereof, including the Domain Service Providers":

1. A temporary restraining order and preliminary injunction that prohibits the Defendants (a) from using Coreflood to engage in wire fraud, bank fraud, or unauthorized interception of electronic communications, and (b) from running Coreflood on any computers not owned by the Defendants, by authorizing the operation of a substitute command and control server to give effect to the Court's orders;
2. A permanent injunction that requires the Defendants to uninstall Coreflood on any computers not owned by the Defendants and authorizes the operation of a substitute command and control server to give effect to the Court's orders; and
3. Such other relief as the Court deems just and proper.

This is noteworthy because it asks the Court to grant a broad remit in order to remedy the acts, including remote control of infected computers.

What Does the Future Hold?

The seizure and substitutions have played out; however,  consider how the action may influence future takedowns. The action calls attention to inaccurate Whois and misuse of privacy protection services in a very public way. This may affect policy changes to Whois and domain registration services. It grants permission to issue commands to software running on millions of personal and business computers and instructs the Defendants to uninstall software associated with the fraud. This is beneficial in the case of Coreflood, but the grant raises questions as well. Under what circumstances should governments instruct software on privately owned or business computer systems? What if the instructions don't produce the desired result? What if the instructions cause harm? How has the government reconciled its apparent actions here with the commission of crimes described in Title 18, United States Code, Section 1030 (a) (2): “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains— (C) information from any protected computer"?

For me, the most intruiging issue is "What will malware writers and scammers do to counter this measure?"


Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)