Microsoft botnet smackdown 'caused collateral damage, failed to kill target'

Zombies just won't stay underground

Next gen security for virtualised datacentres

Microsoft is attracting fresh criticism for its handling of the Citadel botnet takedown, with some security researchers pointing to signs that the zombie network is already rising from the grave again.

Redmond worked with financial service organisations, other technology firms and the Federal Bureau of Investigation to disrupt more than 1,400 botnets linked to $500m in fraud as part of a takedown action, codenamed Operation b54. In a blog post, Microsoft described its seventh zombie network takedown as its "most aggressive botnet operation to date".

However, security researchers such as Roman Hüssy of Abuse.ch criticised the action for killing off honeypot systems monitoring the activities of cybercrooks as well as seizing internet nodes linked to ongoing fraud.

Microsoft seized more than 4,000 domain names and pointed them towards a server operated Redmond as part of the sinkholing exercise. But these domains included more than 300 Citadel domains that were sinkholed by abuse.ch as well as many hundreds of similar domains controlled by other security researchers.

It's being suggested that the move thrashed the work of security researchers as well as hampering attempts by groups such as the Shadowserver Foundation to track the activity of malware networks, such as reporting on the IP address of zombies that phone home to command and control nodes under the control of security researchers.

Redmond previously hijacked domains associated with the ZeuS banking Trojan, causing similar problems with the honeypots of security researchers. Abuse.ch set up a (non-public) sinkhole registry for law enforcement and other security organisation in the wake of the ZeuS mixup but Microsoft disregarded this list in its takedown operation.

Security researchers already irked by Microsoft's high-handed attitude have since become even more irritated after Redmond pushed fresh configuration files to infected Citadel-infected PCs, which were left adrift but still infected by the botnet takedown operation. These fresh configuration files meant that surfers visiting Facebook.com from infected PCs were directed to a warning page from Microsoft instead of hitting the social network.

Although well-intentioned, sending out valid configuration files to change the settings of a computer without the consent or knowledge of its user may be illegal in some jurisdictions.

"Microsoft started to push out Citadel configs that redirect ‪http://facebook.com ‬and localhost to Microsoft's Sinkhole," said Hüssy in an update to the Abuse.ch Twitter account.

Other researchers who ran Citadel honeypots prior to the takedown also raised questions about Microsoft's handling of the operation.

"Microsoft took over Citadel domains running such botnets and ships updates to the bots even out of US jurisdiction," Claudio Guarnieri, a security researcher at Rapid7 and Shadowserver member, said in a Twitter update.

The Citadel malware targeted via the takedown had been used to build more than 1,400 botnets affecting more than five million people in 90 countries. Infected machines were booby-trapped by keylogging software that captured and uploaded bank account login credentials entered into compromised PCs.

El Reg invited Microsoft to comment on criticism of its takedown operation by security researchers such as Hüssy. Redmond responded with a statement, attributed to Richard Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit. Microsoft says it worked with white hat security researchers on the takedown, and argues that the operation was full of win for the good guys:

The security research community is doing important work on monitoring the Citadel botnet and other malware variants in the wild. Many researchers agree that the goal of research should not just be in the observation itself, but in application to help protect the public from the threat cybercrime poses.

The researchers who provided information for use in this operation did so because of their commitment to the application of research to help people on the internet, and their willingness to share this information is a testament to their dedication. Microsoft and its partners continue to capture valuable information and evidence as a result of this operation, and we remain committed to working with the community to provide intelligence uncovered in our investigations so that the whole industry can better respond collectively to these threats.

Microsoft and the FBI worked with law enforcement, Computer Emergency Response Teams (CERTs) and others around the world in the execution of this disruption operation in order to help protect victims from the ongoing harm they were facing from Citadel on a daily basis.

As stated from the outset, the goal of this operation was to protect the public by strategically disrupting Citadel’s operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business.

As we have done in prior botnet operations, Microsoft is now able to use the intelligence gained from this operation to partner with ISPs and CERTs around the world to help rescue people’s computers from the control of Citadel, helping to reduce the size of the ongoing threat that these botnets pose and make the Internet safer for consumers and businesses worldwide.

In addition, just as we have done in prior operations like Rustock and Zeus, we also use the evidence gathered in civil actions whenever possible to refer cases to law enforcement for criminal prosecution.

Microsoft’s commitment to trustworthy partnership with the research and enforcement community to help protect the public from cyber threats remains unchanged.

We will continue to partner closely in disruptive action with the security community globally to help protect our customers and increase the risk and costs for cybercrime to both deter crime and put cybercriminals out of business.

Net security firm Sophos takes a closer look at the impact of the takedown in a blog post here. Sophos found that only half (51 per cent) of the 72 Citadel command and control servers it was tracking appeared on Microsoft's list. And, worse still, one of five (20 per cent) of the Citadel domains on Microsoft's list failed to point towards a sinkhole.

"This implies either that the sinkholing was unsuccessful or that the domains have already been re-appropriated by the Citadel botnet owners," writes James Wyke, a Senior threat researcher at SophosLabs UK. Wykes goes on the repeat Hüssy's criticism that "Microsoft has caused the same sort of collateral damage as in its last Zeus botnet takedown".

"As well as sinkholing the Zeus malware servers, Microsoft also knocked out many servers that belonged to security researchers and provided a valuable service to the public by notifying system administrators that they had infected computers on their network," he said.

He confirmed that Microsoft has configured its sinkhole servers to push a new configuration file to infected computers, expressing the same sort of doubts regarding this move as other security researchers.

"Other sinkhole operations have stopped short of pushing out new configurations to infected bots, probably for legal reasons. Clearly, Microsoft has been more aggressive; let's hope there are no complications as a result," Wyke notes, adding in conclusion that early signs suggest that Microsoft has failed to land a knock-out blow on the Citadel banking fraud zombie network it targeted through the controversial takedown op.

"It looks as though many of the botnets weren't knocked out, and rebuilding those that were taken down will not take long," he said. ®

The essential guide to IT transformation

More from The Register

next story
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
prev story


Top 10 endpoint backup mistakes
Avoid the ten endpoint backup mistakes to ensure that your critical corporate data is protected and end user productivity is improved.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up distributed data
Eliminating the redundant use of bandwidth and storage capacity and application consolidation in the modern data center.
The essential guide to IT transformation
ServiceNow discusses three IT transformations that can help CIOs automate IT services to transform IT and the enterprise
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.