Infected Windows PCs Steal $100M; Feds Mollify Botnet

Dennis Faas's picture

The FBI and Justice Department have shut down a network of infected Windows machines used for stealing money. The 'Coreflood' botnet was one of the largest and most longstanding networks of its type. Despite the network shutdown, the malicious software used to infect PCs remains in the wild.

Over 2 Million PCs Infected with Malicious Software

The botnet at one point held control over two million PCs which were infected by malicious software, often downloaded unknowingly by users online the Internet.

The malicious software (also known as "malware") easily penetrated Windows defenses due to a security flaw in Windows. Flaws in Windows (also known as "exploits") are discovered by security experts and patched regularly by Microsoft -- but end users need to download and install these updates regularly or their PCs remain exploitable.

Once the machines in the Coreflood botnet were infected with malicious software, they were re-programmed to snoop and collect details of a user's online activity -- including user names, passwords and credit card numbers.

Total Amount Stolen Estimated at $100 Million

As of last February, the network involved 2.33 million machines, of which 1.85 million were in the US. It's not known if that was simply a coincidence or if the software was intentionally targeted towards machines based in the United States.

One security expert estimated the total amount of money stolen may have topped $100 million. (Source:

Command And Control Structure Now Controlled By Law

Of the many users infected, a Tennessee defense contractor in particular was bilked for an estimated quarter of a million dollars due to the online scammers.

Having gathered evidence of the network's effects, officials went to court to get permission to disrupt the botnet. Lawyers filed 13 "John Doe" cases in which the lawyers give as much detail as possible about the offenders but are unable to confirm their identities.

The court awarded the officials legal authority over two elements vital to the network: the rights to use 29 specific web site domain names, and control over five web servers. (Source:

Zombie PC Network Controlled Using A Few Vital Computers

The web domains and web servers are key parts to keeping the zombie PC network alive.

The malicious software which is downloaded and installed to Windows PCs is designed so that the infected computers contact specific web sites in order to retrieve updated instructions on what to do next. This information is updated from other web servers, which is updated by the scammers that control the entire network. This "command and control" structure helps to keep the identities of the scammers hidden.

Under the court order, officials now have permission to reprogram the servers so that those updates now consist solely of an instruction to stop running the malware.

While the botnet has been severely disrupted, the malicious software that created it is still in existence and can still be spread. The officials hope, however, that their action buys some breathing room for users to catch and remove the software before the offenders can again use it to gather sensitive data.

Rate this article: 
No votes yet