Botnet Hurt, so are Researchers

Thursday, June 13, 2013 @ 03:06 PM gHale


Microsoft helped bring down the Citadel botnet, but there are some signs the network is on the rise. So, too, are the tempers of security researchers.

Microsoft worked with a slew of other companies from financial service organizations, other technology firms, to the Federal Bureau of Investigation to disrupt more than 1,400 botnets linked to $500 million in fraud as part of a takedown action, codenamed Operation b54.

RELATED STORIES
P2P Botnets Keep Growing
Global Cybercrime Botnet Breached
Reworked Trojans a Major Threat
Botnet Used in Huge Spam Plot

Microsoft called its seventh zombie network takedown as its “most aggressive botnet operation to date”.

However, not all is perfect as security researchers like Roman Hüssy of Abuse.ch said the move eliminated honeypot systems monitoring the activities of cybercrooks as well as seizing Internet nodes linked to ongoing fraud.

Microsoft seized more than 4,000 domain names and pointed them toward a server operated in Redmond, WA, as part of the sinkholing exercise. But these domains included more than 300 Citadel domains sinkholed by companies like abuse.ch as well as hundreds of similar domains controlled by other security researchers.

The researchers said the move ended the work of security researchers as well as hampered attempts by groups such as the Shadowserver Foundation to track the activity of malware networks, such as reporting on the IP address of zombies that phone home to command and control nodes under the control of security researchers.

Microsoft previously hijacked domains associated with the ZeuS banking Trojan, causing similar problems with the honeypots of security researchers. Abuse.ch set up a (non-public) sinkhole registry for law enforcement and other security organizations in the wake of the ZeuS mixup but Microsoft disregarded this list in its takedown operation.

The Citadel malware targeted via the takedown built more than 1,400 botnets affecting more than five million people in 90 countries. Infected machines were booby-trapped by keylogging software that captured and uploaded bank account login credentials entered into compromised PCs.

Richard Boscovich, assistant general counsel of Microsoft’s Digital Crimes Unit, said Microsoft worked with white hat security researchers on the takedown, and argues that the operation was full of win for the good guys.

Microsoft and the FBI worked with law enforcement, Computer Emergency Response Teams (CERTs) and others around the world in the execution of this disruption operation in order to help protect victims from the ongoing harm they were facing from Citadel on a daily basis.

The goal of the operation was to protect the public by strategically disrupting Citadel’s operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business.



Leave a Reply

You must be logged in to post a comment.