Nearly two months after the company was part of an operation to disrupt a large number of Citadel botnets, Microsoft said that 88 percent of the botnets spawned by that malware have been taken down.
Citadel is a Trojan designed specifically to steal financial information from a variety of sources using a number of techniques. It began life as a version of the more famous Zeus malware and went on to create a name for itself as the weapon of choice for attackers wanting to steal large amounts of money from their victims. Citadel gives attackers the ability to steal usernames and passwords for online banking sites, and has been used to build thousands of individual botnets around the world.
In June, Microsoft, along with law enforcement agencies and other security companies, concluded an operation that helped disrupt many of the Citadel-based botnets. Working with U.S. Marshals, the company was able to physically remove from data centers some servers used by Citadel botmasters. The Citadel operation was the latest in a string of anti-botnet maneuvers conducted by the company over the last few years. Microsoft also has been involved in operations that helped take down botnets such as Kelihos, Bamital, Nitol and others.
The Citadel takedown was not without controversy, however. Part of the operation involved Microsoft sinkholing thousands of domains used by Citadel botmasters for command and control purposes. But, some of those domains turned out to be sinkholes that malware researchers had set up previously in order to track Citadel’s operations. A couple of days after Microsoft announced its takedown of Citadel, a Swiss security researcher said that several hundred of his sinkholed domains had been redirected to Microsoft’s servers.
“Today, I’ve suddenly noticed that several domain names disappeared from my sinkhole. I started to investigate and noticed these are now all pointing to a server in Microsoft’s network range (199.2.137.0/24). It was quite obvious to me what had happened. Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by abuse.ch awhile ago (I want to outline here that my sinkhole is appropriately tagged and clearly shows that it is actually a sinkhole of abuse.ch),” an anonymous security researcher who operates Abuse.ch, wrote in a blog post on June 7. “I pulled down the list of Citadel domains that Microsoft seized and checked it against my sinkhole’s domain list. I was quite surprised about the result: Microsoft seized more than 300 domain names that where sinkholed by abuse.ch.”
The same thing happened to other security researchers, and the Abuse.ch researcher estimated that 25 percent of the Citadel domains seized in the operation were legitimate sinkholes operated by researchers. Still, Microsoft officials said Thursday that Operation b54, the code name for the Citadel takedown, was a success and has made a difference in the botnet’s ability to operate.
“According to our data, as of July 23, our coordinated action against the threat has disrupted roughly 88 percent of the Citadel botnets operating worldwide. In addition, our analysis shows that approximately 40 percent of the computers we believe to have been infected with Citadel and directly impacted by our operation have been cleaned since the time of our action in June, and we continue to work with others to help clean the remaining victims. As I stated in a recent blog post sharing our initial revelations from this operation, we believe that this was a very successful action, and we continue to be pleased with the positive results we’re seeing,” Richard Boscovich of the Microsoft Digital Crimes Unit said.