The FBI and the U.S. Justice Department on Wednesday began dismantling an international ring of thieves who stole hundreds of millions of dollars worldwide by infecting over 2.3 million computers with malicious software. It was the biggest such enforcement action U.S. authorities have ever taken against cybercriminals.
FBI officials said investigators were able to execute a digital sting of their own — taking control of several of the malicious computer servers and sending commands to make them stop transferring pirated data.
Millions of dollars were stolen from U.S. computer users, said the officials, who spoke on condition of anonymity because the investigation is continuing.
The investigators were trying to contain a malware program called Coreflood, which has been around for at least a decade and can record key strokes, allowing cybercriminals to take over unsuspecting computers and steal passwords, banking and credit card information.
5 servers seized
Investigators seized five major computer servers that were controlling hundreds of thousands of infected computers, and also seized 29 domain names used by the botnet to communicate with those servers. A botnet is a network of infected computers.
What's a botnet?
Originally, "bots" were benign tools used by programmers to perform repetitive tasks on the web. However, they've been adopted by online criminals and used to create botnets, or robot networks — groups of internet-linked computers that have been commandeered to perpetrate all kinds of online nastiness. Typically, a bot is installed on a machine through a trojan, an insidious program that can find its way into a personal computer or server in a variety of ways — such as when a user clicks a link to an infected web page, views an infected document or e-mail message, or runs an infected program. The owner is usually an unwitting victim who has no idea their machine has been infected and turned into a so-called "zombie."
Once the bot has made itself at home, it opens the doors of its new host computer to its master who can remotely instruct the machine to engage in a variety of nefarious activities, such as sending out spam and phishing e-mails, sending messages to infect more computers or launching distributed denial of service (DDOS) attacks against websites. In some cases, these programs can steal personal data, credit information and passwords that can be used for identity theft or to raid online bank accounts.
Describing the operation, FBI officials said they essentially broke the link between the cyberthieves and the infected computers.
When the malware sent a message back to the Coreflood control sites asking what to do with all the data it had gathered from a computer, investigators responded with their own message: Send nothing. Shut down.
As a result, FBI officials said they are comfortable that a significant portion of the Coreflood botnet has been disabled, but the program is still running on the infected computers.
Officials said they did not notify computer owners that they had been compromised, and no personal information was gathered by U.S. officials during the digital communications.
The malware exploits a vulnerability in computers running Windows operating systems and allows those that are infected to be controlled remotely. And some 1.8 million of the infected computers are in the United States; the remainder in countries around the world.
13 accused in civil complaints
Thirteen defendants, identified only as John Does, were accused in a civil complaint of engaging in wire fraud, bank fraud and illegal interception of electronic communications. Officials would not say what country the attack came from, but agreed it was consistent with cybercrime activity from Eastern Europe.
The court order authorized the government to respond to signals sent from infected computers in the U.S., a move designed to stop the Coreflood software from running. The purpose is to prevent further harm to hundreds of thousands of unsuspecting users of infected computers.
The thieves engaged in wire transfers from the infected computers to steal $115,000 from a Michigan real estate company; $78,000 from a law firm in South Carolina; $151,000 from an investment company in North Carolina; and $241,000 from a defense contractor in Tennessee.
The exact extent of the financial loss caused by the Coreflood botnet is not known, because of the large number of computers infected and the quantity of data stolen.
Computer users can go to the Microsoft website to learn how to clean the malware from their computers.