Feds to remotely delete Coreflood from infected PCs

[Blaze]

In an unusual move, federal authorities will be contacting computer users with systems infected by the Coreflood botnet Trojan and asking them to agree to allow them to send commands to the malware so it will delete itself. The move comes in the in the wake of a coordinated takedown earlier this month by the FBI and other authorities, in which the U.S. government essentially substituted its own command-and-control servers in place of those used by Coreflood and issued commands telling the program to shut down on infected PCs. The move reduced activity from the Coreflood botnet by about 90 percent in the United States and by nearly 75 percent worldwide. However, infected PCs still have dormant Coreflood software on them, and the feds would like to get rid of it.



A U.S. District Judge approved the Department of Justice’s request for a preliminary injunction that authorizes the action, giving authorities until May 25 to contact owners of systems infected by Coreflood and obtain consent to remotely remove it from their machines. However, the DOJ actually argued it didn’t need a judge’s permission to move on its deletion campaign, since it will be seeking written consent from owners of infected systems before going through with the deletion.

Based upon technical evaluation and testing, the Government assesses that the command sent to the Coreflood software to stop running will not cause any damage to the victim computers on which the Coreflood software is present, nor will it allow the Government to examine or copy the contents of the victim computers in any fashion.

Federal authorities have not specified how many machines it has identified as candidates for a remote wipe of Coreflood. Industry estimates of the size of the Coreflood botnet at the time of its takedown were between 2 million and 2.5 million systems.

The DOJ argues that removing Coreflood quickly from infected systems is important, as new variants of Coreflood are already appearing, increasing the probability that new malware will be able to evade detection, removal tools, or re-capture now-dormant machines. The FBI says in many cases it has already identified infected computers by IP address and identified possible owners based on that information.

Geoff Duncan – Wed Apr 27, 1:01 pm ET

[Nitro Express]

Very strange. I can see the government issuing a heads up warning but unless it's an national security issue, it's not the government's problem. What makes them the sole network security experts? It's a huge private industry which probably has all sorts of people you can hire to take care of the problem. The only reason the FBI should even be going after someone's computer is if they have a warrant to regarding criminal activity or national security. We don't need to waste tax money on the FBi being an internet security company for the private sector.

[chefcraig]

This is fairly spooky, for a variety of reasons. For one thing, even though you have to sign a consent form, it's still essentially like handing over the keys to your house to a stranger when you need work done. If you are not there to supervise them, you could return and find your possessions, let alone your privacy to have been tampered with. And since they have the keys, a set of duplicates could be made allowing them access at any time. Yeah, yeah, if you have nothing to hide (or of value), you have nothing to worry about, but that still won't make you rest any easier.

[Nitro Express]

Plus the US Government has such an impeccable record of being trust worthy.

[FORD]

My machines aren't infected with the shit, but if they were, I'd clean them up myself, thanks.

[Hardrock69]

No shit. Were I to be contacted, I would just tell them "Give me the instructions to delete it myself".

Seems like a fishing expedition in the guise of "helping innocent victims of this virus".

[Blaze]

Should the computers that have the toxic waste (Coreflood) be prevented from contaminating the Internet by some means, such as containment?

Should private internet security companies provide a certificate of removal from the computers they monitor? What if that computer is using freeware for security monitoring?