US authorities have taken down a major botnet used by cyber criminals to steal user credentials to commit millions of dollars worth of fraud.

The US Department of Justice said that the Coreflood botnet had been operating for nearly a decade, and is thought to have infected more than two million computers worldwide.

The botnet infection exploited a flaw in Microsoft's Windows operating system for which the software company issued a fix on 12 April in its monthly security update, according to US reports.

Five botnet command and control servers and 29 internet domain names were seized as part of a joint operation by the DoJ and FBI.

Charges of fraud and illegal interception of electronic communications have been filed against 13 suspects.

The extent of the financial loss is not known, but victims include a real estate company in Michigan hit for $116,000 (£71,000), an investment company in North Carolina taken for $151,000 and a defence contractor in Tennessee which lost $242,000.

Based on these losses and other complaints, the cyber criminals are believed to have netted in the region of $100m or more.

Shawn Henry of the FBI's cyber branch said the operation is the first of its kind in the US and reflects the country's commitment to making the internet more secure.