Feeds

Microsoft borks botnet takedown in Citadel snafu

Stupid Redmond kicked over our honeypots, wail white hats

Boost IT visibility and business value

Security researchers are complaining about collateral damage from the latest botnet take-down efforts by Microsoft and its partners.

The Windows 8 giant worked with financial service organisations, other technology firms and the Federal Bureau of Investigation to disrupt more than a thousand botnets.

The botnets in question were using Citadel malware to run cybercrime scams blamed for more than $500m in fraud. The action, authorised by a federal court ruling and carried out last week, involved raids at server-hosting facilities in the US to seize evidence related to the malware.

The takedown – codenamed Operation b54 – is the latest in an ongoing campaign against various zombie networks spearheaded by Microsoft.

In a blog post, Microsoft described its seventh zombie network takedown as its "most aggressive botnet operation to date".

However, this time round Redmond appears to have stepped on the toes of security researchers, killing off honeypot systems monitoring the activities of cybercrooks as well as decapitating systems linked to ongoing fraud.

Microsoft seized more than 4,000 domain names and pointed them to a server operated by them, a technique known as “sinkholing”. The technique isn't new and has been previously applied in attempts to seize control of the infamous Conficker botnet, for example.

Redmond and its partners allegedly erred by seizing more than 300 Citadel domains that were sinkholed by abuse.ch (home of the Swiss Security Blog), as well as many hundreds of similar domains controlled by other security researchers, critics complain.

"Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by abuse.ch awhile ago," a researcher at abuse.ch complains.

Security bods suffer deja-vu

Something similar happened with a ZeuS takedown operation by Microsoft last year, when thousands of ZeuS botnet domains were seized, including several hundred domain names that were already sinkholed by abuse.ch. Previously Redmond had the reasonable excuse that there was no easy way to distinguish between domains run by crooks and domains run by security researchers.

However, the latest action comes after abuse.ch set up a (non-public) Sinkhole Registry for law enforcement and security organisations to avoid similar mixups.

"I had hoped that Microsoft had learned their lesson, but apparently nothing has changed and my efforts didn’t change anything," the unnamed researcher at abuse.ch laments.

"Since Citadel domain names previously sinkholed by abuse.ch have been grabbed by Microsoft, Shadowserver will not be able to report the IP addresses of infected clients calling home to these domains to the network owners any more," he added.

The issue is not limited to abuse.ch, as several other sinkhole operators have also been hit: "Calculating the numbers together, I can say that nearly 1,000 domain names out of the 4,000 domain names seized by Microsoft had already been sinkholed by security researchers. In fact these 1k domain names did no longer present a threat to internet users [sic], but were actually used to help to make the internet a better place.”

Microsoft is sending out valid Citadel configuration files to the connecting bots. This configuration file causes the block on accessing anti-virus vendors' websites to be removed from infected machines, as well as getting the fall-back (backup) C&C domains to be overwritten by servers operated by Microsoft (microsoftinternetsafety.net).

Although well-intentioned, sending out valid configuration files changes the settings of a computer without the consent or knowledge of the user; a potentially illegal move in many jurisdictions, according to the unimpressed security researcher at abuse.ch, who warns that crooks are inevitably going to attempt to try to seize back control of the botnet.

Other security researchers backed up the criticisms.

The Citadel malware targeted via the takedown had been used to build more than 1,400 botnets affecting more than five million people in 90 countries, according to figures from email security firm Agari, which worked with Microsoft and other on the operation.

Once infected, the victim’s keystrokes were monitored and recorded, allowing crooks to siphon off banking login credentials and other personal information for subsequent fraud. As part of the FBI operation, communication has been cut off between 1,462 Citadel botnets and the millions of infected computers under their control.

Unplugging botnet command and control servers renders a zombie network inert, but does nothing to clean-up infected hosts, which remain contaminated with malware. Microsoft plans to use intelligence gained in Operation b54 to work with ISPs and Computer Emergency Response Teams (CERTs) around the world to quickly and efficiently clean as many computers as possible. ®

Bootnote

Abuse.ch was set up by Swiss security researcher Roman Hüssy, and played a key role in setting up sites to track the activities of malicious activity associated with the ZeuS and SpyEye families of banking Trojans. The Shadowserver Foundation is a collaborative net security effort that tracks and reports on malware, botnet activity and cybercrime. The volunteer-staffed foundation takes data supplied by abuse.ch and many others.

The essential guide to IT transformation

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft: Azure isn't ready for biz-critical apps … yet
Microsoft will move its own IT to the cloud to avoid $200m server bill
Oracle reveals 32-core, 10 BEEELLION-transistor SPARC M7
New chip scales to 1024 cores, 8192 threads 64 TB RAM, at speeds over 3.6GHz
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
Flash could be CHEAPER than SAS DISK? Come off it, NetApp
Stats analysis reckons we'll hit that point in just three years
Object storage bods Exablox: RAID is dead, baby. RAID is dead
Bring your own disks to its object appliances
Nimble's latest mutants GORGE themselves on unlucky forerunners
Crossing Sandy Bridges without stopping for breath
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.