The update, issued this week, helps the software giant clamp down on new infections, crippling the botnet’s ability to regenerate and release new variants. The update comes after the FBI and the Department of Justice, in an unprecedented move, obtained a court order to seize command-and-control servers and direct the botnet to terminate processes on victim’s machines in the U.S.
Microsoft said the latest MSRT tool contains malware signatures that can detect variants of Afcore, released by the criminals at approximately the same time as the previous edition of MSRT. The previous version was updated on April 12 during Microsoft’s regular patch cycle, Jeff Williams, principal group program manager, wrote in the Microsoft Malware Protection Center blog.
Jeff Williamsprincipal group program manager, Microsoft Malware Protection Center
“We can, and will, release MSRT as needed to support takedown activities or other times when the impact will be potentially significant,” Williams wrote. “This additional release is on request and we welcome other requests in the future.”
Williams added that the latest release also includes additional botnet detection capabilities for other malware families. The update also adds malware signatures for Microsoft Security Essentials and the Forefront products.
The Coreflood botnet is a serious threat to corporate networks because cybercriminals have designed it to target networks hosting multiple computers. Once infected, the botnet acts as a vacuum cleaner, using a keylogger to record key strokes, sucking up financial data and sensitive company information, including intellectual property.
Law enforcement officials got U.S.-based hosting providers to shut down rogue Coreflood command-and-control servers. Officials seized five command-and-control servers and 29 domain names used by the botnet.
Coreflood has been a thorn in the side of security researchers and law enforcement agencies for its ability to quickly spread and remain virtually undetectable on victim’s machines. The botnet has been building strength over the last decade and is believed to have infected more than 2 million computers worldwide.
Once a machine is infected, the Coreflood Afcore malware stealthily sets itself up, running in the background, steals personal information, including account credentials and financial information, and uses the infected machine as a launching pad to attack other computers.
The move by the DOJ and FBI has been questioned by some security researchers and privacy activists because law enforcement collected the IP addresses of victim’s machines and interfered directly with their processes to stop the malware. The Electronic Frontier Foundation (EEF) told Wired magazine the Coreflood action was “sketchy” and could have damaged the machines.
Paul Ducklin, head of technology at U.K.-based security vendor Sophos, wrote that the EEF’s concern is valid, but added that the law enforcement action against Coreflood seems to have been a success. In his firm’s Naked Security blog, Ducklin presented data that showed a dramatic decrease in U.S.-based PC’s trying to connect with Coreflood command-and-control servers.
“This may sound like a petty objection -- and perhaps, in the real world, it is -- but unless you know exactly which variant of the bot is on each PC, there is always a potential risk with trying to use a bot against itself,” Ducklin wrote. “Sending ‘stop’ commands to the infected PCs was noticeably more effective than simply cutting those PCs off from the C&C servers.”