Vigilance publishes here for the reading pleasure of our readers worldwide a media alert by a Senior Security Strategist on the unusual move by US federal prosecutors to obtain a court order allowing them to build an alternate Command & Control (C&C) server to the Coreflood botnet C&C server to stop malware execution on compromised machines.
Enter: Noa Bar-Yosef
A new way to dismantle a botnet: for the first time, US federal prosecutors obtained a court order allowing them to build an alternate C&C server to the Coreflood botnet C&C server. As a result, zombie machines in the Coreflood network are being re-routed to communicate with the server controlled by law enforcement agencies. The “good” server can then issue commands to stop the malware execution on the compromised machines.
In a rather thoughtful move, this server is also logging IPs of the machines communicating with it – i.e. the victims. Agencies can then work with the ISPs so that they can accordingly inform the victims. What this means is to have ISPs actually inform the victim, provide information on the removal of malware and increase security awareness.
This is the correct move. ISPs should not play cop – by removing suspected infected machines from the internet. Rather, they should know how to deal with infected machines and provide them with the tools to deal with threats.