Feeds

Microsoft borks botnet takedown in Citadel snafu

Stupid Redmond kicked over our honeypots, wail white hats

7 Elements of Radically Simple OS Migration

Security researchers are complaining about collateral damage from the latest botnet take-down efforts by Microsoft and its partners.

The Windows 8 giant worked with financial service organisations, other technology firms and the Federal Bureau of Investigation to disrupt more than a thousand botnets.

The botnets in question were using Citadel malware to run cybercrime scams blamed for more than $500m in fraud. The action, authorised by a federal court ruling and carried out last week, involved raids at server-hosting facilities in the US to seize evidence related to the malware.

The takedown – codenamed Operation b54 – is the latest in an ongoing campaign against various zombie networks spearheaded by Microsoft.

In a blog post, Microsoft described its seventh zombie network takedown as its "most aggressive botnet operation to date".

However, this time round Redmond appears to have stepped on the toes of security researchers, killing off honeypot systems monitoring the activities of cybercrooks as well as decapitating systems linked to ongoing fraud.

Microsoft seized more than 4,000 domain names and pointed them to a server operated by them, a technique known as “sinkholing”. The technique isn't new and has been previously applied in attempts to seize control of the infamous Conficker botnet, for example.

Redmond and its partners allegedly erred by seizing more than 300 Citadel domains that were sinkholed by abuse.ch (home of the Swiss Security Blog), as well as many hundreds of similar domains controlled by other security researchers, critics complain.

"Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by abuse.ch awhile ago," a researcher at abuse.ch complains.

Security bods suffer deja-vu

Something similar happened with a ZeuS takedown operation by Microsoft last year, when thousands of ZeuS botnet domains were seized, including several hundred domain names that were already sinkholed by abuse.ch. Previously Redmond had the reasonable excuse that there was no easy way to distinguish between domains run by crooks and domains run by security researchers.

However, the latest action comes after abuse.ch set up a (non-public) Sinkhole Registry for law enforcement and security organisations to avoid similar mixups.

"I had hoped that Microsoft had learned their lesson, but apparently nothing has changed and my efforts didn’t change anything," the unnamed researcher at abuse.ch laments.

"Since Citadel domain names previously sinkholed by abuse.ch have been grabbed by Microsoft, Shadowserver will not be able to report the IP addresses of infected clients calling home to these domains to the network owners any more," he added.

The issue is not limited to abuse.ch, as several other sinkhole operators have also been hit: "Calculating the numbers together, I can say that nearly 1,000 domain names out of the 4,000 domain names seized by Microsoft had already been sinkholed by security researchers. In fact these 1k domain names did no longer present a threat to internet users [sic], but were actually used to help to make the internet a better place.”

Microsoft is sending out valid Citadel configuration files to the connecting bots. This configuration file causes the block on accessing anti-virus vendors' websites to be removed from infected machines, as well as getting the fall-back (backup) C&C domains to be overwritten by servers operated by Microsoft (microsoftinternetsafety.net).

Although well-intentioned, sending out valid configuration files changes the settings of a computer without the consent or knowledge of the user; a potentially illegal move in many jurisdictions, according to the unimpressed security researcher at abuse.ch, who warns that crooks are inevitably going to attempt to try to seize back control of the botnet.

Other security researchers backed up the criticisms.

The Citadel malware targeted via the takedown had been used to build more than 1,400 botnets affecting more than five million people in 90 countries, according to figures from email security firm Agari, which worked with Microsoft and other on the operation.

Once infected, the victim’s keystrokes were monitored and recorded, allowing crooks to siphon off banking login credentials and other personal information for subsequent fraud. As part of the FBI operation, communication has been cut off between 1,462 Citadel botnets and the millions of infected computers under their control.

Unplugging botnet command and control servers renders a zombie network inert, but does nothing to clean-up infected hosts, which remain contaminated with malware. Microsoft plans to use intelligence gained in Operation b54 to work with ISPs and Computer Emergency Response Teams (CERTs) around the world to quickly and efficiently clean as many computers as possible. ®

Bootnote

Abuse.ch was set up by Swiss security researcher Roman Hüssy, and played a key role in setting up sites to track the activities of malicious activity associated with the ZeuS and SpyEye families of banking Trojans. The Shadowserver Foundation is a collaborative net security effort that tracks and reports on malware, botnet activity and cybercrime. The volunteer-staffed foundation takes data supplied by abuse.ch and many others.

Best practices for enterprise data

More from The Register

next story
Microsoft's Euro cloud darkens: US FEDS can dig into foreign servers
They're not emails, they're business records, says court
Sysadmin Day 2014: Quick, there's still time to get the beers in
He walked over the broken glass, killed the thugs... and er... reconnected the cables*
VMware builds product executables on 50 Mac Minis
And goes to the Genius Bar for support
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
Auntie remains MYSTIFIED by that weekend BBC iPlayer and website outage
Still doing 'forensics' on the caching layer – Beeb digi wonk
Microsoft says 'weird things' can happen during Windows Server 2003 migrations
Fix coming for bug that makes Kerberos croak when you run two domain controllers
Cisco says network virtualisation won't pay off everywhere
Another sign of strain in the Borg/VMware relationship?
prev story

Whitepapers

7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Solving today's distributed Big Data backup challenges
Enable IT efficiency and allow a firm to access and reuse corporate information for competitive advantage, ultimately changing business outcomes.
A new approach to endpoint data protection
What is the best way to ensure comprehensive visibility, management, and control of information on both company-owned and employee-owned devices?