Access member only content, take part in discussions with comments on blogs, news and reviews and receive all the latest security industry news directly to your inbox. Join now for free.
Processing registration... Please wait.
This process can take up to a minute to complete.
A confirmation email has been sent to your email address - SUPPLIED EMAIL HERE. Please click on the link in the email to verify your email address. You need to verify your email before you can start posting.
If you do not receive your confirmation email within the next few minutes, it may be because the email has been captured by a junk mail filter. Please ensure you add the domain @scmagazine.com.au to your white-listed senders.
News this week that the US Department of Justice and FBI teamed up to dismantle the unrelenting Coreflood botnet resulted in universal cheers from the security community.
But the rare tactic authorities used to pull the plug on Coreflood -- sending commands to infected computers telling them to cease communication with command-and-control servers -- prompted some IT experts to wonder whether the federal government may have crossed the line.
"Everyone wants botnets to go away, so I'm not sad the botnet will be largely taken down," said Chris Palmer, technology director of the digital watchdog group Electronic Frontier Foundation.
"The issue is this is not a safe way to go about it, and it's divergent with standard practice. It's very dangerous."
To disrupt Coreflood, a nearly decade-old, keystroke-logging botnet blamed for stealing millions of dollars from victims' bank accounts, federal prosecutors secured a court-issued temporary restraining order to replace its five servers with substitute servers under the US Government's control. Such command and control servers sent instructions to infected machines.
That substitution, combined with successfully reverse engineering the malware's code, allowed FBI agents to deliver stop commands to compromised machines, believed to number 2.3 million.
Typically, law enforcement dismantles botnets by taking down such servers through partnerships with international authorities and internet service providers. Often, the botnets crumble for a while but rise again when a new hub is created.
However, in this case, agents climbed another rung on the enforcement ladder by directly communicating with infected systems, telling them to stop talking to the control center.
But some say they've gone too far by doing that.
"They're running the bad guy's code in hopes of getting rid of the bad guy's code," said Palmer, a former senior software engineer at Google. "That's just crazy. If nothing horrible comes of this, it will be because of a combination of sheer luck and surprising politeness on behalf of the malware authors."
Palmer said such a method can lead to "collateral damage." For example, had the Coreflood authors caught wind of the FBI sting, they may have adjusted the trojan to respond to the stop commands in a different way, such as deleting sensitive data from the machines.
But Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham, who regularly interacts with Government cybercrime fighters, said he doubts such a scenario would play out.
"It could be valid if the people working this case were clueless," Warner said.
"But they are not and had deep industry review before considering this action. It's a thoroughly tested procedure. If it did harm, they wouldn't have done it."
According to court documents filed April 12 in federal court in Connecticut, the stop commands -- delivered each time the Coreflood-infected computer reboots -- will not cause any damage or allow the US Government the ability to view or copy any contents on a victim's machine.
Meanwhile, HD Moore, founder of the open-source Metasploit hacking toolkit and the CSO of vulnerability management company Rapid 7, said he is less worried about the impact this operation may cause and more concerned about the precedent that it sets.
"What's scary about it is let's say in the future they want to use the same technique," he said. "It's getting the FBI involved in an area where they traditionally haven't been involved. What's stopping them from going all the way to the extreme and shutting down political discourse they don't like?"
Once they assumed control of the servers, authorities "could've done anything they wanted to" to the infected machines, said Moore, adding that many of the computers receiving commands are located outside of the United States.
Warner, however, said this was an exceptional case that had to demonstrate enough burden of proof to convince a judge to issue a temporary restraining order.
"They haven't intruded on the machine," Warner said. "They haven't done anything but tell the software to stop running itself.
"This is a good thing. Coreflood was regularly draining people's bank accounts since 2004."
This article originally appeared at scmagazineus.com
To begin commenting right away, you can log in below or register an account if you don't yet have one. Please read our guidelines on commenting. Offending posts will be removed and your access may be suspended. Abusive or obscene language will not be tolerated. The comments below do not necessarily reflect the views or opinions of SC Magazine, Haymarket Media or its employees.