Court Authorizes U.S. Gov’t to Kill Zombies

Published On April 15, 2011 | By Jennifer Granick | Data Security
TwitterLinkedInFacebookRedditCopy LinkEmailPrint

Just two days ago on April 12, the United States Government executed an unprecedented (in the U.S.) scheme to shut down one of the more malicious botnets plaguing the Internet.  Coreflood is a distributed network of malicious software running on millions of unsuspecting user’s machines (aka “zombies”), skimming financial and other sensitive data, and sending it to a few centralized command servers operated by unknown parties.  Wired Threat Level’s Kim Zetter reported that Department of Justice (DOJ) officials in the District of Connecticut worked with the FBI, Microsoft, and the non-profit Internet Systems Consortium (ISC) to coordinate a plan to shut Coreflood down.  First, the FBI seized the centralized servers used in the scheme. Next, those servers were replaced with ISC-operated systems that could collect the IP addresses of affected machines. The IP addresses will be used to notify the owners of zombie machines (via their ISPs) that they had become part of the malicious botnet.  Also, the seizure would take place on the same day Microsoft issued an OS patch that should remove all Coreflood software from user machines. Finally, and most controversially from a legal point of view, the government-controlled servers will send a kill command to infected machines and stop the Coreflood software from operating.

Though, Ars Technica reports, Dutch and Armenian authorities have taken similarly aggressive action to shut down the Bredolab bot in 2010, this is completely new in the U.S.

So, under what authority might the U.S. Government have the right to instruct your computer to run or stop running certain software code? Generally, when a private party does such a thing without your permission, they face potential liability under the federal Computer Fraud and Abuse Act, or its state corollaries, for unauthorized access to computers.  See e.g. 18 U.S.C. 103(a)(5).

The brief that the DOJ filed in support of court authorization for this scheme sets forth the government’s legal case for this joint venture.  It’s textbook Fourth Amendment law that the government needs a search warrant to seize the centralized computers that formed the Coreflood brain (Brains!). The DOJ got such warrants. Law enforcement officials also got good electronic surveillance practice by getting court orders under the Pen Register/Trap and Trace statute (Pen/Trap) to collect the IP addresses.  The Pen/Trap statute generally prohibits the collection of IP addresses and other dialing, routing or signaling information without such a court order. It makes an exception for service providers to collect IP addresses for certain purposes, including to protect users of that service, from fraud, unlawful or abusive use, 18 U.S.C. 3121(b)(2)(3), but it was wise for the government to get court authorization rather than try to argue that as a result of its takeover of the command servers, it was now the service provider.

As for the more controversial aspect of the operation, the method to kill switch power, the DOJ relied on 18 U.S.C. 2521, entitled “Injunction against illegal interception” for this authority. That statute allows the Attorney General to file a civil suit to get an injunction again unlawful felony interception of communications.  The provision says, in part,

The court shall proceed as soon as practicable to the hearing and determination of such an action, and may, at any time before final determination, enter such a restraining order or prohibition, or take such other action, as is warranted to prevent a continuing and substantial injury to the United States or to any person or class of persons for whose protection the action is brought.

The government argued that the kill switch is an “other action” warranted to protect the individuals whose computers are infected. This argument is unprecedented, literally.  No court has ever analyzed the meaning of this section and there are no reported decisions which cite this provision. Certainly, the Coreflood operators are unlikely to challenge this part of the Court order. But, if an infected computer gets taken off-line as a result of this operation, the owner may seek redress against the government.  And civil libertarians have to ask what the limits of this new power the government claims are.

Is an order under this statute limited to addressing harms caused by illegal interception, and if so, what is the unlawful interception at issue here?  If not, what nexus must the government show with illegal interception to get a court order under this provision? Are there any other limitations on what “other actions” the government might pursue?

What is the standard of proof required to get such a court order?  Generally, injunctions require a showing of irreparable harm and that there is no adequate remedy at law.  But in the briefing, the government argues that a statutorily authorized injunction and injunction related order need only “prove the alleged violation and ‘a reasonable likelihood that the wrong will be repeated’.” How does this standard compare to the probable cause standard required to seize machines or perform other kinds of invasive actions, and should  a court require at least that level of proof for the kind of action contemplated here?

For now, this order may be just the salt that returns the Coreflood zombies back to the grave. But it will be interesting to see whether the government’s success here spawns future monsters.