Authorities to Uninstall the Botnet from Infected PCs

The FBI has declared war against the Coreflood botnet Trojan and has announced its latest plan to remotely uninstall the botnet from some infected Widows PCs in the next four weeks. This stage will begin once the owners have been identified by the Department of Justice (DOJ) and have submitted an authorization form to the FBI.

For the past month, the DOJ has been launching a campaign aimed to unseat the botnet which controls more than two million compromised computers. Recently, the FBI indentified computers that are infected and those computers will be the first to experience the remote uninstall feature.

Two weeks ago, the DOJ and the FBI made headway in this attempt when they obtained an unprecedented temporary restraining order allowing them to seize five command-and-control (C&C) servers that managed Coreflood, according to a NetworkWorld report. Since then, the U.S. Marshal's Service has operated substitute C&C servers that have disabled the bot on most infected PCs.

This progress has helped reduce the amount of Coreflood by 90 percent in the U.S. and almost 75 percent in other countries. But, according to reports, this is just the beginning of the feds’ battle against the botnet.

"Additional time is needed, however, both to allow more antivirus vendors to release virus signatures for Coreflood and to complete the process of notifying Coreflood victims," the DOJ said in a memorandum filed Saturday.

The DOJ’s request for a preliminary injunction was granted on Monday by U.S. District Court Judge Vanessa Bryant; it expires May 25.

"While the proposed preliminary injunction is in effect, the Government also expects to uninstall Coreflood from the computers of Identifiable Victims who provide written consent," said the DOJ in the memo.

The DOJ added that it is not required to ask Bryant for permission before making its next move.

"The Government is not requesting explicit authorization from the Court to do so, because the written consent form obviates the need for such authorization," DOJ lawyers said.

As the authorities get ready for the next phase of remotely uninstalling the botnet –a process that should be successful, according to test results – they are worried about the possibility that the uninstall command will produce adverse affects. In the process of eradication, for example, the infected computers may become even more damaged.

FBI Special Agent Briana Neumiller, who has been involved in the Coreflood investigation and takedown, expressed her concern over the uninstall feature.

"Removing Coreflood in this manner could be used to delete Coreflood from infected computers and to 'undo' certain changes made by Coreflood to the Windows operating system when Coreflood was first installed," Neumiller said. "The process does not affect any user files on an infected computer, nor does it ... access any data on the infected computer."