Feds To Remotely Uninstall Bot From Some PCs 211
CWmike writes "Federal authorities will remotely uninstall the Coreflood botnet Trojan from some infected Windows PCs over the next four weeks. Coreflood will be removed from infected computers only when the owners have been identified by the DOJ and they have submitted an authorization form to the FBI. The DOJ's plan to uninstall Coreflood is the latest step in a coordinated campaign to cripple the botnet, which controls more than 2 million compromised computers. The remote wipe move will require consent, and the action does come with warnings from the court that provided the injunction against the botnet, however. 'While the 'uninstall' command has been tested by the FBI and appears to work, it is nevertheless possible that the execution of the 'uninstall' command may produce unanticipated consequences, including damage to the infected computers,' the authorization form reads. FBI Special Agent Briana Neumiller said, 'The process does not affect any user files on an infected computer, nor does it ... access any data on the infected computer.' The DOJ and FBI did not say how many machines it has identified as candidates for its uninstall strategy, but told the judge that FBI field offices would be notifying affected people, companies and organizations."
Re:WTF? (Score:3, Informative)
Re:That's ok (Score:4, Informative)
A bit draconian, are you?
Maybe. Apparently you aren't one of the guys they send massive amounts of unwanted spam to?
So sure. Let's say you render a couple hundred thousand machines unbootable by wiping their partition tables, MBR, or whatever. They wake up the next morning, and do they love you? Can they do business? Can they read x-rays? Will their their stuff work?
The problem is the malware/rootkit leaves their stuff seeming to work; and it's invisible to them, so they don't even bring someone in to look at it, let alone repair it.
Your average organization with malware crawling around has no IT management, there's no active directory, group policy, or technical restrictions against employees running software -- everyone runs as admin, any anti-malware/antivirus software is hopelessly out of date, and they're probably still running Windows XP at the moment.
You're not going to be able to "turn off the port", because there are way too many of them, they don't have static IPs, and WHOIS is basically useless. Their ISP won't even tell you (or law enforcement) who their technical contact is (if they have one) without subpoenas.
The most expeditious way for anyone to handle this is to nuke from orbit by reversing the behavior of the malware author's backdoor. Make the software shout about its presence instead of hiding.
Make the breakage of the machine VISIBLE so the repair company has to be called, and money has to be spent, so the SMB cannot continue to ignore their workstation infection, even when informed of it.
Re:That's ok (Score:4, Informative)
it's very, very easy to check offline (from a separate host) that a hard drive with a Windows partition on it has legitimate files as released by MS. Digital signatures and all that jazz.
No. The System filechecker is trivially defeated, even when checking offline.
The trouble with 'digital signatures' is there are multiple valid signers, and you can't enumerate a priori which ones are valid. The tampering of tampered with files does not even necessarily occur on the files you see on the physical medium offline while rootkit is not loaded.
Lots of Windows systems have a boatload of legitimate non-Microsoft application files and non-Microsoft system drivers for hardware are almost universally present. And what the registry contains is really quite important, especially when malware involves loading a program that contains a rootkit.
The loader may be found as an application, small file, or binary blob in the registry somewhere. The actual payload activated by the malware loader, may not even reside as files on the NTFS volume; as anything running as system user may be able to read code from raw disk sectors (even NTFS disk sectors that are not actually linked to files you can scan/access).
Try as you might, it is basically impossible to enumerate every possible registry content that will cause malware hooks to load into memory and run payload at system boot.
Verification of the content of all known system files does not verify the integrity of the system.