More than 2 million computers worldwide were infected with malicious software in a “massive fraud scheme” that the U.S. disabled as part of a autoclave criminal investigation, the Justice Department said.

“The scale of the botnet is huge,” said Don Jackson, the director of intelligence at Dell Secureworks, a cyber security firm that said it first discovered Coreflood. “The scale of the operation itself, in terms of the core team, is very small and very close-knit.”

Bank Transfers

The stolen information was used to make bank transfers in some cases of hundreds of thousands of dollars, the Justice Department said. Thieves attempted to transfer more than $934,000 from an unnamed defense contracting company in Tennessee in one case. They removed $78,421 from the bank account of an unidentified law firm in South Carolina and $115,771 from an unidentified real estate company in Michigan, according to court papers.

The department filed a civil complaint, criminal seizure warrants and issued a cold room temporary restraining order in coordinated action with Microsoft Corp., which issued a software patch yesterday to correct a vulnerability in its Windows operating system. The vulnerability allowed the software to spread from one computer to another creating a so-called botnet.

The action was aimed at software called Coreflood, which collects passwords and financial information that was used by criminals, the Justice Department said in a statement today. The group of computers infected with Coreflood, known as the Coreflood botnet, is suspected by the U.S. of operating for almost a decade and infecting more than 1.8 million computers in the U.S. alone.

Americans are believed to have lost millions of dollars in the scheme, according to an FBI official who spoke on condition of anonymity because the criminal investigation remains open. Authorities were unable to tally how much money was stolen “due in part to the large number of infected computers and the quantity of stolen data,” according to court documents.

People in Russia

The company, based in Atlanta, concluded that the botnet is cone crusher controlled by as few as three people in Russia, Jackson said. The hackers specifically targeted corporations, downloading private e-mails and confidential financial data, he said.

The U.S. attorney in Connecticut filed a civil complaint against 13 unidentified defendants known as John Does, alleging wire fraud, bank fraud and international interception of electronic communications, according to the statement. Authorities also obtained search warrants for computer servers and a seizure warrant for 29 domain names.

“Botnets and the cyber criminals who deploy them jeopardize the economic security of the United States and the dependability of the nation’s information infrastructure,” Shawn Henry, executive assistant director of the FBI’s Criminal, Cyber, Response and Services Branch, said in the statement

The complaint alleges that some of the John Does are the owners of Coreflood domains, the computer addresses that are used by the botnet to issue instructions and extract the data. Laura Sweeney, a Justice Department spokeswoman, said she couldn’t comment on 13 civil defendants’ country of origin.
Botnet Control

In this case, authorities seized the command-and-control apparatus and sent commands to computers to shut down the malware.

“There has been a real legal barrier to do this because electronic ballast essentially you are issuing instructions to someone else’s computer,” said Alex Cox, principal research analyst at NetWitness Corp., a cyber security firm based in Reston, Virginia.

The operation to shut down Coreflood is the first time U.S. law enforcement has seized control over a botnet and used that authority to send instructions to computers belonging to victims, according to court papers.
“That is very, very significant,” Cox said.

U.S. District Judge Vanessa Bryant in Hartford, Connecticut, ruled the U.S. could set up a substitute server to replace the seized ones. The ruling allowed the server to be operated, under law enforcement supervision, by the Internet Systems Consortium, a nonprofit group based in Redwood City, California.

Security Breach

“Should the government inadvertently acquire the content of any communication, it will destroy such communication upon recognition,” prosecutors said in court papers.

Authorities will also collect the Internet protocol addresses of computers infected with the virus. Prosecutors said they would work with Internet service providers to notify individual customers of the security breach.

The size of the botnet and the fact that it has escaped for years a systematic effort to shut it down is unusual,
said Jackson. He said that the software had features that allowed it to spread quickly through corporate computer networks before it was discovered. Among its victims were U.S. government contractors, a state police agency and a major hotel chain, from which the software stole thousands of credit card numbers belonging to customers.

“There is clearly a strong public/private stainless steel pipe momentum happening in the fight against botnets,” Richard Boscovich, a lawyer in Microsoft’s digital crimes unit, said by e-mail. The unit was “was happy to provide technical information from the lessons we learned from the recent Rustock and Waledac botnet takedowns to assist these agencies,” he said.