UPDATE – Calling it the company’s “most aggressive” botnet operation operation to date, Microsoft has joined with the FBI for a massive disruption of the Citadel botnet.
More than 1,400 individual botnets associated with the Citadel malware affecting more than five million people in total were disrupted, with cooperation from the Federal Bureau of Investigation and interestingly, a civil seizure warrant issued by the U.S. District Court for the Western District of North Carolina.
Groups like the Financial Services – Information Sharing and Analysis Center (FS-ISAC), NACHA – The Electronic Payments Association, the American Bankers Association (ABA) and Agari, an email phishing authentication firm, all helped chip in intelligence as well.
While this was the seventh botnet operation of its kind coordinated by Microsoft, this is the first time the company has worked with the law enforcement sector to secure a civil seizure warrant to carry out its plans.
Richard Boscovich, the Assistant General Counsel of Microsoft’s Digital Crimes Unit wrote about the operation – codenamed Operation b54 – on the company’s Technet blog last night claiming the action won’t fully eradicate the Citadel malware but should “significantly” curb the botnet going forward.
“Due to Citadel’s size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware,” he wrote, “however, we do expect that this action will significantly disrupt Citadel’s operation.”
Technical details on the operation are somewhat scant but Microsoft says the operation culminated yesterday after officials from Microsoft, assisted by U.S. Marshalls helped remove servers from two data hosting facilities in New Jersey and Pennsylvania. The takedown was set into motion last week after the North Carolina court order successfully cut off communication between the Citadel botnets, 1,462 in total, and their infected machines.
Agari, a Palo Alto-based email phishing authentication firm had a big hand in helping Microsoft obtain the seizure warrant.
While the full operation took about a year, Agari spent six of those months poring over phishing emails that were pulling unsuspecting users into the Citadel botnet.
Agari CEO Patrick Peterson described how the company helped monitoring emails that led to the seizure of the servers in Pennsylvania and New Jersey.
“Our whole system is designed to isolate these malicious emails and to get that forensic data for law enforcement, for our customers, for the industry to be able to track the bad guys,” Patterson explained, “In this case working with our partners, the FBI, Microsoft, FS-ISAC, we were able to customize the focus of that specifically around that Citadel botnet.”
The company monitored approximately 2.5 million malicious URLs every month and while not every one of those URLs led to the Citadel malware, all of them were pretending to come from a legitimate bank.
Agari is part of FS-ISAC’s Trusted Registry Program, a program dedicated to securing the emails the financial services industry sends out. FS-ISAC reached out to Microsoft about Agari’s wealth of phishing emails and the company joined the investigation from there.
“I think it’s a great day for everyone involved,” Peterson said, “It’s certainly a day when everyone on the internet is safer than they were yesterday and that doesn’t happen very often.”
The Citadel Trojan has been spotted mining all types of financial information, including banking logins and passwords since being introduced a year and a half ago. To date it’s believed the botnet is responsible for more than half a billion dollars in financial loss.
Peddled primarily on a handful of underground forums as a variant of the Zeus Trojan, the malware has long been cloaked in secrecy. Owners insist on distributing their kit among trusted insiders, h0ping to keep law enforcement out and support costs down.
Microsoft has taken a hard line on cybercrime over the last several years and much of that is due to the work being done by its Digital Crimes Unit. The DCU, a collection of Microsoft engineers, security experts and lawyers, have proved successful at shutting down botnets that are largely dependent on a centralized infrastructure including Kelihos, Zeus, Waledac and Rustock.
In a discussion with Threatpost’s Dennis Fisher last month, T.J. Campana, the DCU’s Director of Security claimed the group tries to take a transparent approach with their takedowns.
“We’re not just going out there shooting stuff. We walk in with a pile of legal documents. We’re asking for a judge to agree with what we found,” Campana said of the group’s actions at the time.