Often the command sent was to search for words on the infected computers that indicated banking or credit-card information – and send it along. But just as often, Coreflood was instructed to send it all – giving the botnet a voracious appetite for all kinds of data. Its enormous, nonselective appetite for data may have been its undoing.
On April 12, a US District Court judge in Connecticut granted a temporary restraining order against 13 “John Doe” defendants – the alleged members of the Russian cybergang. The court gave the FBI permission to take the unprecedented step of sending an electronic “pause” command to all US-based Coreflood-infected computers – machines whose owners had no idea their computers were being controlled by a Russian gang.
Working closely with private computer security experts, the FBI first substituted its own computers for Coreflood's. So when the PC bots “beaconed” for instructions, they got the FBI substitutes instead. The FBI machines responded by sending commands ordering the malicious Coreflood software inside the bot computers to sleep – just do nothing.
As a result, by late last month, the number of Coreflood bots in the network that were actively “phoning home” had dropped by 90 percent, according to federal court filings last week. But that was not a permanent fix. Putting the program to sleep is not the same as removing it. Unless the malware is removed by a Microsoft or antivirus update downloaded onto the computer, it will start up again the next time the computer is rebooted.