Gov't Persists in Shutting Down Infected Windows PCs

Dennis Faas's picture

Government officials say they'll need more time to tackle a major network of infected Windows computers. The request comes as more details emerge about just how widely affected major organizations were by the Coreflood botnet.

Zombie Windows PCs Steal Over $100 Million

Those responsible had used a Windows-based virus to seize remote control of more than two million machines, most of which were located in the US. The machines were then ordered to collect and transmit confidential data, with one independent estimate suggesting more than $100 million may have been stolen as a result.

The FBI and Department of Justice then went to court and were granted temporary control over web servers and domain names related to the botnet. By taking control of the servers, it allowed officials to prevent and essentially block infected machines from receiving further instructions from the virus creators.

Feds Hunt Down Infected Machines

As well as encouraging anti-virus manufacturers to release fixes for the virus -- a much easier task when the virus itself isn't being constantly updated and revised -- the FBI has been actively seeking out those whose computers have been affected. Officials have supplied the IP addresses known to be affected, with Internet providers translating that to individual customers and passing on warnings.

Government lawyers say that work has had a dramatic effect, with the number of daily "calls" by infected computers to the seized servers falling from 800,000 to 100,000. It's not possible to directly correspond that to a number of infected machines, but it's clear there's a significant drop.

Remote Deletion of Botnet: The New Strategy

Lawyers say they need additional time to tackle the problem and have requested a 30-day extension to their legal authority over the command-and-control servers.

Government officials say they want to try a strategy of updating the commands sent by the servers to tell the computers to completely uninstall the virus. Because that means actively changing the configuration of the infected computers, it will only be allowed where a computer owner has specifically requested the action take place. That could prove to be difficult, because most owners of infected machines don't even know their machines are infected in the first place. (Source:

To help gain support for the 30-day extension, officials have provided a flavor of the extent of the infection: they say Coreflood has been found on at least 17 government agency networks, 30 colleges and universities, five banks and 20 hospital and healthcare companies.

In the case of one hospital, 2,000 of the total 14,000 computers at the facility were infected. (Source:

Rate this article: 
No votes yet