Microsoft botnet smackdown 'caused collateral damage, failed to kill target'

Zombies just won't stay underground

Seven Steps to Software Security

Microsoft is attracting fresh criticism for its handling of the Citadel botnet takedown, with some security researchers pointing to signs that the zombie network is already rising from the grave again.

Redmond worked with financial service organisations, other technology firms and the Federal Bureau of Investigation to disrupt more than 1,400 botnets linked to $500m in fraud as part of a takedown action, codenamed Operation b54. In a blog post, Microsoft described its seventh zombie network takedown as its "most aggressive botnet operation to date".

However, security researchers such as Roman Hüssy of Abuse.ch criticised the action for killing off honeypot systems monitoring the activities of cybercrooks as well as seizing internet nodes linked to ongoing fraud.

Microsoft seized more than 4,000 domain names and pointed them towards a server operated Redmond as part of the sinkholing exercise. But these domains included more than 300 Citadel domains that were sinkholed by abuse.ch as well as many hundreds of similar domains controlled by other security researchers.

It's being suggested that the move thrashed the work of security researchers as well as hampering attempts by groups such as the Shadowserver Foundation to track the activity of malware networks, such as reporting on the IP address of zombies that phone home to command and control nodes under the control of security researchers.

Redmond previously hijacked domains associated with the ZeuS banking Trojan, causing similar problems with the honeypots of security researchers. Abuse.ch set up a (non-public) sinkhole registry for law enforcement and other security organisation in the wake of the ZeuS mixup but Microsoft disregarded this list in its takedown operation.

Security researchers already irked by Microsoft's high-handed attitude have since become even more irritated after Redmond pushed fresh configuration files to infected Citadel-infected PCs, which were left adrift but still infected by the botnet takedown operation. These fresh configuration files meant that surfers visiting Facebook.com from infected PCs were directed to a warning page from Microsoft instead of hitting the social network.

Although well-intentioned, sending out valid configuration files to change the settings of a computer without the consent or knowledge of its user may be illegal in some jurisdictions.

"Microsoft started to push out Citadel configs that redirect ‪http://facebook.com ‬and localhost to Microsoft's Sinkhole," said Hüssy in an update to the Abuse.ch Twitter account.

Other researchers who ran Citadel honeypots prior to the takedown also raised questions about Microsoft's handling of the operation.

"Microsoft took over Citadel domains running such botnets and ships updates to the bots even out of US jurisdiction," Claudio Guarnieri, a security researcher at Rapid7 and Shadowserver member, said in a Twitter update.

The Citadel malware targeted via the takedown had been used to build more than 1,400 botnets affecting more than five million people in 90 countries. Infected machines were booby-trapped by keylogging software that captured and uploaded bank account login credentials entered into compromised PCs.

El Reg invited Microsoft to comment on criticism of its takedown operation by security researchers such as Hüssy. Redmond responded with a statement, attributed to Richard Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit. Microsoft says it worked with white hat security researchers on the takedown, and argues that the operation was full of win for the good guys:

The security research community is doing important work on monitoring the Citadel botnet and other malware variants in the wild. Many researchers agree that the goal of research should not just be in the observation itself, but in application to help protect the public from the threat cybercrime poses.

The researchers who provided information for use in this operation did so because of their commitment to the application of research to help people on the internet, and their willingness to share this information is a testament to their dedication. Microsoft and its partners continue to capture valuable information and evidence as a result of this operation, and we remain committed to working with the community to provide intelligence uncovered in our investigations so that the whole industry can better respond collectively to these threats.

Microsoft and the FBI worked with law enforcement, Computer Emergency Response Teams (CERTs) and others around the world in the execution of this disruption operation in order to help protect victims from the ongoing harm they were facing from Citadel on a daily basis.

As stated from the outset, the goal of this operation was to protect the public by strategically disrupting Citadel’s operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business.

As we have done in prior botnet operations, Microsoft is now able to use the intelligence gained from this operation to partner with ISPs and CERTs around the world to help rescue people’s computers from the control of Citadel, helping to reduce the size of the ongoing threat that these botnets pose and make the Internet safer for consumers and businesses worldwide.

In addition, just as we have done in prior operations like Rustock and Zeus, we also use the evidence gathered in civil actions whenever possible to refer cases to law enforcement for criminal prosecution.

Microsoft’s commitment to trustworthy partnership with the research and enforcement community to help protect the public from cyber threats remains unchanged.

We will continue to partner closely in disruptive action with the security community globally to help protect our customers and increase the risk and costs for cybercrime to both deter crime and put cybercriminals out of business.

Net security firm Sophos takes a closer look at the impact of the takedown in a blog post here. Sophos found that only half (51 per cent) of the 72 Citadel command and control servers it was tracking appeared on Microsoft's list. And, worse still, one of five (20 per cent) of the Citadel domains on Microsoft's list failed to point towards a sinkhole.

"This implies either that the sinkholing was unsuccessful or that the domains have already been re-appropriated by the Citadel botnet owners," writes James Wyke, a Senior threat researcher at SophosLabs UK. Wykes goes on the repeat Hüssy's criticism that "Microsoft has caused the same sort of collateral damage as in its last Zeus botnet takedown".

"As well as sinkholing the Zeus malware servers, Microsoft also knocked out many servers that belonged to security researchers and provided a valuable service to the public by notifying system administrators that they had infected computers on their network," he said.

He confirmed that Microsoft has configured its sinkhole servers to push a new configuration file to infected computers, expressing the same sort of doubts regarding this move as other security researchers.

"Other sinkhole operations have stopped short of pushing out new configurations to infected bots, probably for legal reasons. Clearly, Microsoft has been more aggressive; let's hope there are no complications as a result," Wyke notes, adding in conclusion that early signs suggest that Microsoft has failed to land a knock-out blow on the Citadel banking fraud zombie network it targeted through the controversial takedown op.

"It looks as though many of the botnets weren't knocked out, and rebuilding those that were taken down will not take long," he said. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Black Hat anti-Tor talk smashed by lawyers' wrecking ball
Unmasking hidden users is too hot for Carnegie-Mellon
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
prev story


Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.