The Department of Justice in a court filing Wednesday in New Haven District Court announced an unprecedented “reverse hack” to remove a password-stealing computer virus from more than 2.3 million infected computers worldwide.

The virus, known as Coreflood, exploits vulnerable, unpatched Windows systems. Once infected, the victim’s computer establishes a connection to a remote server and also attempts to infect other PC’s on its local area network.  The virus operates in the background and victims don’t know their computer is infected. This is what makes it so dangerous.

Coreflood records every keystroke of the infected machine, transmitting personal information such as user names, passwords, and the contents of emails and documents back to the main virus server for analysis by criminals who can then gain access to the victim’s bank and email accounts. 

The criminals operating the server maintain control over the infected PC’s, regularly sending updates that prevent detection by virus software as well as frequent changes to the “phone home” address to throw law enforcement off the trail. Often, the computers operating the central virus servers are hacked machines. The collection of infected machines and their virtual handlers are known as a “botnet.” In its filing, the Department of Justice says the unknown perpetrators and their co-conspirators are believed to be foreign nationals operating outside the U.S.

Among the victims listed in the complaint is a defense contractor who lost more than $240,000 via fraudulent wire transfers.

Today’s court ruling gives the government the authority to intercept traffic from the infected machines by impersonating the central virus servers. The replacement machines will issue a reply code that suspends the virus temporarily. The approximately 1.8 million infected users in the United States will be contacted with instructions on how to permanently remove the virus.  The government says that any personal information sent from infected machines to their servers will be discarded.

“These actions to mitigate the threat posed by the Coreflood botnet are the first of their kind in the United States and reflect our commitment to being creative and proactive in making the Internet more secure,” said Shawn Henry, Executive Assistant Director of the FBI’s Criminal, Cyber, Response and Services Branch.

Despite yesterday’s interception, security experts estimate other botnets continue to control millions of infected computers worldwide. The best defense against infection is keeping computers up-to-date with the latest security, malware, and anti-virus patches. Microsoft now provides this protective software for free.

Related:
Feds Take Down ‘Botnet’