In an unusual move, federal authorities will be contacting computer users with systems infected by the Coreflood botnet Trojan and asking them to agree to allow them to send commands to the malware so it will delete itself. The move comes in the in the wake of a coordinated takedown earlier this month by the FBI and other authorities, in which the U.S. government essentially substituted its own command-and-control servers in place of those used by Coreflood and issued commands telling the program to shut down on infected PCs. The move reduced activity from the Coreflood botnet by about 90 percent in the United States and by nearly 75 percent worldwide. However, infected PCs still have dormant Coreflood software on them, and the feds would like to get rid of it.
A U.S. District Judge approved the Department of Justice’s request for a preliminary injunction that authorizes the action, giving authorities until May 25 to contact owners of systems infected by Coreflood and obtain consent to remotely remove it from their machines. However, the DOJ actually argued it didn’t need a judge’s permission to move on its deletion campaign, since it will be seeking written consent from owners of infected systems before going through with the deletion.
“Based upon technical evaluation and testing, the Government assesses that the command sent to the Coreflood software to stop running will not cause any damage to the victim computers on which the Coreflood software is present, nor will it allow the Government to examine or copy the contents of the victim computers in any fashion,” the Department of Justice wrote in its request. However, the government also notes there are no guarantees, and that the uninstall process might have unexpected effects.
Federal authorities have not specified how many machines it has identified as candidates for a remote wipe of Coreflood. Industry estimates of the size of the Coreflood botnet at the time of its takedown were between 2 million and 2.5 million systems.
The DOJ argues that removing Coreflood quickly from infected systems is important, as new variants of Coreflood are already appearing, increasing the probability that new malware will be able to evade detection, removal tools, or re-capture now-dormant machines. The FBI says in many cases it has already identified infected computers by IP address and identified possible owners based on that information.