Microsoft botnet smackdown 'caused collateral damage, failed to kill target'
Zombies just won't stay underground
Microsoft is attracting fresh criticism for its handling of the Citadel botnet takedown, with some security researchers pointing to signs that the zombie network is already rising from the grave again.
Redmond worked with financial service organisations, other technology firms and the Federal Bureau of Investigation to disrupt more than 1,400 botnets linked to $500m in fraud as part of a takedown action, codenamed Operation b54. In a blog post, Microsoft described its seventh zombie network takedown as its "most aggressive botnet operation to date".
However, security researchers such as Roman Hüssy of Abuse.ch criticised the action for killing off honeypot systems monitoring the activities of cybercrooks as well as seizing internet nodes linked to ongoing fraud.
Microsoft seized more than 4,000 domain names and pointed them towards a server operated Redmond as part of the sinkholing exercise. But these domains included more than 300 Citadel domains that were sinkholed by abuse.ch as well as many hundreds of similar domains controlled by other security researchers.
It's being suggested that the move thrashed the work of security researchers as well as hampering attempts by groups such as the Shadowserver Foundation to track the activity of malware networks, such as reporting on the IP address of zombies that phone home to command and control nodes under the control of security researchers.
Redmond previously hijacked domains associated with the ZeuS banking Trojan, causing similar problems with the honeypots of security researchers. Abuse.ch set up a (non-public) sinkhole registry for law enforcement and other security organisation in the wake of the ZeuS mixup but Microsoft disregarded this list in its takedown operation.
Security researchers already irked by Microsoft's high-handed attitude have since become even more irritated after Redmond pushed fresh configuration files to infected Citadel-infected PCs, which were left adrift but still infected by the botnet takedown operation. These fresh configuration files meant that surfers visiting Facebook.com from infected PCs were directed to a warning page from Microsoft instead of hitting the social network.
Although well-intentioned, sending out valid configuration files to change the settings of a computer without the consent or knowledge of its user may be illegal in some jurisdictions.
"Microsoft started to push out Citadel configs that redirect http://facebook.com and localhost to Microsoft's Sinkhole," said Hüssy in an update to the Abuse.ch Twitter account.
Other researchers who ran Citadel honeypots prior to the takedown also raised questions about Microsoft's handling of the operation.
"Microsoft took over Citadel domains running such botnets and ships updates to the bots even out of US jurisdiction," Claudio Guarnieri, a security researcher at Rapid7 and Shadowserver member, said in a Twitter update.
The Citadel malware targeted via the takedown had been used to build more than 1,400 botnets affecting more than five million people in 90 countries. Infected machines were booby-trapped by keylogging software that captured and uploaded bank account login credentials entered into compromised PCs.
El Reg invited Microsoft to comment on criticism of its takedown operation by security researchers such as Hüssy. Redmond responded with a statement, attributed to Richard Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit. Microsoft says it worked with white hat security researchers on the takedown, and argues that the operation was full of win for the good guys:
The security research community is doing important work on monitoring the Citadel botnet and other malware variants in the wild. Many researchers agree that the goal of research should not just be in the observation itself, but in application to help protect the public from the threat cybercrime poses.
The researchers who provided information for use in this operation did so because of their commitment to the application of research to help people on the internet, and their willingness to share this information is a testament to their dedication. Microsoft and its partners continue to capture valuable information and evidence as a result of this operation, and we remain committed to working with the community to provide intelligence uncovered in our investigations so that the whole industry can better respond collectively to these threats.
Microsoft and the FBI worked with law enforcement, Computer Emergency Response Teams (CERTs) and others around the world in the execution of this disruption operation in order to help protect victims from the ongoing harm they were facing from Citadel on a daily basis.
As stated from the outset, the goal of this operation was to protect the public by strategically disrupting Citadel’s operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business.
As we have done in prior botnet operations, Microsoft is now able to use the intelligence gained from this operation to partner with ISPs and CERTs around the world to help rescue people’s computers from the control of Citadel, helping to reduce the size of the ongoing threat that these botnets pose and make the Internet safer for consumers and businesses worldwide.
In addition, just as we have done in prior operations like Rustock and Zeus, we also use the evidence gathered in civil actions whenever possible to refer cases to law enforcement for criminal prosecution.
Microsoft’s commitment to trustworthy partnership with the research and enforcement community to help protect the public from cyber threats remains unchanged.
We will continue to partner closely in disruptive action with the security community globally to help protect our customers and increase the risk and costs for cybercrime to both deter crime and put cybercriminals out of business.
Net security firm Sophos takes a closer look at the impact of the takedown in a blog post here. Sophos found that only half (51 per cent) of the 72 Citadel command and control servers it was tracking appeared on Microsoft's list. And, worse still, one of five (20 per cent) of the Citadel domains on Microsoft's list failed to point towards a sinkhole.
"This implies either that the sinkholing was unsuccessful or that the domains have already been re-appropriated by the Citadel botnet owners," writes James Wyke, a Senior threat researcher at SophosLabs UK. Wykes goes on the repeat Hüssy's criticism that "Microsoft has caused the same sort of collateral damage as in its last Zeus botnet takedown".
"As well as sinkholing the Zeus malware servers, Microsoft also knocked out many servers that belonged to security researchers and provided a valuable service to the public by notifying system administrators that they had infected computers on their network," he said.
He confirmed that Microsoft has configured its sinkhole servers to push a new configuration file to infected computers, expressing the same sort of doubts regarding this move as other security researchers.
"Other sinkhole operations have stopped short of pushing out new configurations to infected bots, probably for legal reasons. Clearly, Microsoft has been more aggressive; let's hope there are no complications as a result," Wyke notes, adding in conclusion that early signs suggest that Microsoft has failed to land a knock-out blow on the Citadel banking fraud zombie network it targeted through the controversial takedown op.
"It looks as though many of the botnets weren't knocked out, and rebuilding those that were taken down will not take long," he said. ®
Sponsored: The Nuts and Bolts of Ransomware in 2016