Feeds

Microsoft borks botnet takedown in Citadel snafu

Stupid Redmond kicked over our honeypots, wail white hats

Top three mobile application threats

Security researchers are complaining about collateral damage from the latest botnet take-down efforts by Microsoft and its partners.

The Windows 8 giant worked with financial service organisations, other technology firms and the Federal Bureau of Investigation to disrupt more than a thousand botnets.

The botnets in question were using Citadel malware to run cybercrime scams blamed for more than $500m in fraud. The action, authorised by a federal court ruling and carried out last week, involved raids at server-hosting facilities in the US to seize evidence related to the malware.

The takedown – codenamed Operation b54 – is the latest in an ongoing campaign against various zombie networks spearheaded by Microsoft.

In a blog post, Microsoft described its seventh zombie network takedown as its "most aggressive botnet operation to date".

However, this time round Redmond appears to have stepped on the toes of security researchers, killing off honeypot systems monitoring the activities of cybercrooks as well as decapitating systems linked to ongoing fraud.

Microsoft seized more than 4,000 domain names and pointed them to a server operated by them, a technique known as “sinkholing”. The technique isn't new and has been previously applied in attempts to seize control of the infamous Conficker botnet, for example.

Redmond and its partners allegedly erred by seizing more than 300 Citadel domains that were sinkholed by abuse.ch (home of the Swiss Security Blog), as well as many hundreds of similar domains controlled by other security researchers, critics complain.

"Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by abuse.ch awhile ago," a researcher at abuse.ch complains.

Security bods suffer deja-vu

Something similar happened with a ZeuS takedown operation by Microsoft last year, when thousands of ZeuS botnet domains were seized, including several hundred domain names that were already sinkholed by abuse.ch. Previously Redmond had the reasonable excuse that there was no easy way to distinguish between domains run by crooks and domains run by security researchers.

However, the latest action comes after abuse.ch set up a (non-public) Sinkhole Registry for law enforcement and security organisations to avoid similar mixups.

"I had hoped that Microsoft had learned their lesson, but apparently nothing has changed and my efforts didn’t change anything," the unnamed researcher at abuse.ch laments.

"Since Citadel domain names previously sinkholed by abuse.ch have been grabbed by Microsoft, Shadowserver will not be able to report the IP addresses of infected clients calling home to these domains to the network owners any more," he added.

The issue is not limited to abuse.ch, as several other sinkhole operators have also been hit: "Calculating the numbers together, I can say that nearly 1,000 domain names out of the 4,000 domain names seized by Microsoft had already been sinkholed by security researchers. In fact these 1k domain names did no longer present a threat to internet users [sic], but were actually used to help to make the internet a better place.”

Microsoft is sending out valid Citadel configuration files to the connecting bots. This configuration file causes the block on accessing anti-virus vendors' websites to be removed from infected machines, as well as getting the fall-back (backup) C&C domains to be overwritten by servers operated by Microsoft (microsoftinternetsafety.net).

Although well-intentioned, sending out valid configuration files changes the settings of a computer without the consent or knowledge of the user; a potentially illegal move in many jurisdictions, according to the unimpressed security researcher at abuse.ch, who warns that crooks are inevitably going to attempt to try to seize back control of the botnet.

Other security researchers backed up the criticisms.

The Citadel malware targeted via the takedown had been used to build more than 1,400 botnets affecting more than five million people in 90 countries, according to figures from email security firm Agari, which worked with Microsoft and other on the operation.

Once infected, the victim’s keystrokes were monitored and recorded, allowing crooks to siphon off banking login credentials and other personal information for subsequent fraud. As part of the FBI operation, communication has been cut off between 1,462 Citadel botnets and the millions of infected computers under their control.

Unplugging botnet command and control servers renders a zombie network inert, but does nothing to clean-up infected hosts, which remain contaminated with malware. Microsoft plans to use intelligence gained in Operation b54 to work with ISPs and Computer Emergency Response Teams (CERTs) around the world to quickly and efficiently clean as many computers as possible. ®

Bootnote

Abuse.ch was set up by Swiss security researcher Roman Hüssy, and played a key role in setting up sites to track the activities of malicious activity associated with the ZeuS and SpyEye families of banking Trojans. The Shadowserver Foundation is a collaborative net security effort that tracks and reports on malware, botnet activity and cybercrime. The volunteer-staffed foundation takes data supplied by abuse.ch and many others.

High performance access to file storage

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
Inside the Hekaton: SQL Server 2014's database engine deconstructed
Nadella's database sqares the circle of cheap memory vs speed
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
Just what could be inside Dropbox's new 'Home For Life'?
Biz apps, messaging, photos, email, more storage – sorry, did you think there would be cake?
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
prev story

Whitepapers

Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.