Microsoft attacks crippled Coreflood

Microsoft has re-jigged its anti-malware tool to remove Coreflood infections on Windows machines in a move that strikes another blow to the crippled botnet.

(670 image by Tomer Gabel, CC BY-SA 2.0)

The botnet is said to have operated for more than a decade and to have controlled a fleet of two million infected computers. It works by recording keystrokes, stealing usernames, passwords and financial information.

Last week the US Government made an unprecedented move in seizing Coreflood's command and control servers and disabling installations of it on infected computers under a temporary restraining order. But the restraining order did not permit the removal of the botnet from infected computers.

The second version of Microsoft's Malicious Software Removal Tool (MSRT) will aim to remove the latest instances of Coreflood on infected machines, and may be what is needed for the United States Government to kill the botnet.

It will be pushed out to Windows machines as a "continuation of [Microsoft's] support for the take-down activities" of Coreflood.

"We can, and will, release MSRT as needed to support take-down activities or other times when the impact will be potentially significant," Microsoft Malware Protection Centre principal group program manager Jeff Williams said on a TechNet blog.

The tool will be pushed out through Microsoft's Patch Tuesday security updates, but the Redmond giant said that it is prepared to break the schedule to stay ahead of Coreflood.

The tool also includes improvements to the MSRT engine for other malware families.

In a 2008 blog, Dell malware research director Joe Stewart said that Coreflood exploits Microsoft telnet substitute PsExec. The bot activates when a Domain Administrator logs on, exploiting privileges to perform remote installation on hosts linked through PsExec. It uses an SQL database to sort through data stolen from keyloggers by making simple queries.