New Haven is now at the forefront of yet another field: cybersecurity.
On April 13, the New Haven office of the Federal Bureau of Investigation, located at 600 State St., took over the “Coreflood botnet,” a collection of computers remotely controlled by malicious software, which had been operational for 10 years and infected over two million computers. Yale Information Technology Services declined to comment on whether any Yale computers had been infected by the Coreflood botnet, but professor Avi Silberschatz, chair of the Yale Department of Computer Science, said it was likely that the botnet included Yale computers.
Coreflood exploited a bug in the Windows operating system to infect computers, the FBI said in a statement. Over two-thirds of the computers in Yale’s computer clusters and department labs use Windows, according to the Yale ITS website.
Yale ITS also declined to comment on or whether the University had known about the botnet before the FBI announced its existence.
A student’s computer could have been infected by Coreflood relatively easily, Silberschatz said.
“Most of the time the user has to do something — download a file, open a file, et cetera, but sometimes just visiting the site is enough if the bug being exploited [by the virus] is bad enough,” Silberschatz said, who consulted with his friend Peter Galvin, co-founder and CIO of Corporate Technologies, an IT company, about the botnet.
Silberschatz said that most malware, such as Coreflood, is written to attack Microsoft machines because they have a much larger share of the market than Apple does, so infecting them is a better investment.
Although Yalies have better than average understanding and computer skills, Silberschatz added, they are also more likely than average to explore the internet, which could lead to infections when components such as Adobe Flash or operating systems are exploited.
To disable the botnet, the New Haven FBI asked the U.S. District Court in Connecticut to replace the five servers previously being used to control the botnet with different servers that the FBI controlled. The FBI plans to send a self-destruct signal to all versions of Coreflood, it said.
In addition to seizing the botnet, the FBI has filed a civil complaint against 13 unnamed defendants, according to the FBI statement. The complaint alleges that the defendants were engaged in “wire fraud, bank fraud, and illegal interception of electronic communications.”
Computers in a botnet can be forced to reveal passwords or send spam, Silberschatz said.
The Coreflood botnet was used to gain access to personal information and steal money through Internet transfers, the FBI statement said. The court filing gave examples of fraudulent activities in Michigan, Tennessee, North Carolina and South Carolina, each of which resulted in losses of tens, or even hundreds of thousands of dollars for companies.
“Key logging is relatively old and relatively easy,” Silberschatz said about the process by which Coreflood stole users’ passwords. In one particular example of Coreflood’s capabilities, a user’s routine online banking activity was hijacked midsession by the unknown criminals, who then transferred thousands of dollars to an overseas account.
The FBI’s actions in this case were unprecedented in this case because they took over the botnet instead of trying to deactivate it, according to a Wired magazine article. Silberschatz said the FBI is maintaining control over the botnet, possibly to prevent other hackers from gaining control of the botnet and reactivating it.
According to the Wired magazine article on the botnet, some electronic freedom groups, such as the Electronic Frontier Foundation, criticized the FBI for their actions in this case. In particular, there was concern about the precedent the actions set — that the FBI could take over millions of computers belonging to Americans with a simple court order. At the very least, this would put thousands of gigabytes of personal information in the hands of the authorities.
The FBI statement included a preemptive defense against this charge, saying, “at no time will law enforcement authorities access any information that may be stored on an infected computer.”
Silberschatz said that even presuming the FBI would not use the botnet for “nefarious” purposes, other hackers might be able to access the data through a “back door,” or a security loop hole.
Although this is the first time that a U.S. law enforcement agency has taken control of a botnet, the Dutch police used a similar tactic in 2010 to disable the Bredolab botnet, which was estimated to control 30 million computers.