The FBI’s unprecedented effort to behead the Coreflood botnet — comprising millions of hacked Windows machines — appears to be working, at least for now. The bureau has tracked a dramatic decline in the number of pings from the botnet since the takedown operation began earlier this month, according to court documents filed by the Justice Department on Saturday.
The number of pings from infected U.S. systems plummeted from nearly 800,000 to less than 100,000 in about a week after authorities began sending out “stop” commands to those machines — a drop of nearly 90 percent. Pings from infected computers outside the U.S. have also dropped about 75 percent, likely as a result of a parallel outreach effort to foreign ISPs.
The government’s efforts have “temporarily stopped Coreflood from running on infected computers in the United States,” writes the government in its filing, “and have stopped Coreflood from updating itself, thereby enabling anti-virus software vendors to release new virus signatures that can recognize the latest versions of Coreflood.”
The Justice Department asked the court to extend authorization (.pdf) for “Operation Adeona” for an additional 30 days, through May 25, so the feds can continue to temporarily disable the malware as it reports in from infected hosts. The court approved the request on Monday.
Interestingly, the new filing also hints that the government may soon formally seek court permission to take the next step, and actually instruct infected computers to permanently uninstall the malware. It would be the first time a government agency automatically removed code from Americans’ computers.
“The process has been successfully tested by the FBI on computers infected with Coreflood for testing purposes,” writes FBI Special Agent Briana Neumiller in a declaration to the court (.pdf).
The takedown operation began two weeks ago, when the Justice Department obtained an unprecedented court order allowing the FBI and U.S. Marshals Service to swap out command-and-control servers that were communicating with machines infected with Coreflood — malicious software used by criminals to loot a victim’s banking accounts — and replace them with servers controlled by the FBI.
The controversial order also allowed the government to collect the IP addresses of any infected machines that subsequently contacted the FBI-controlled servers and to push out a remote “exit,” or stop, command to them to temporarily disable the Coreflood malware running on the machines.