Security Experts:

Microsoft, FBI Shut Down More Than 1,000 Citadel Botnets

Microsoft, various financial services organizations, and federal law enforcement have successfully disrupted more than 1,000 botnets that utilize the Citadel malware.

Botnets are networks of compromised computers infected by malware and remotely controlled by command-and-control servers. In the case of Citadel, the criminals in charge, known as botherders, took a copy of the Citadel malware and built out their own personal botnets, each with their own personal army of zombie computers.

Microsoft filed a civil suit against unnamed individuals operating these independent operations in the U.S. District Court for the Western District of North Carolina last week. The court granted Microsoft's request to "simultaneously cut off communication" between the command-and-control servers and the millions of infected machines under their control. On June 5, Microsoft, escorted by U.S. Marshalls, seized data and evidence from these operations, including servers from two data hosting facilities in New Jersey and Pennsylvania.

"Creating successful public-private relationships—in which tools, knowledge, and intelligence are shared—is the ultimate key to success in addressing cyber threats and is among the highest priorities of the FBI," Richard McFeely, the executive assistant director at the FBI, said in a statement.

This action disrupted operations for 1,462 botnets, Microsoft said. However, Microsoft and its partners aren't under the impression that they would be able to "fully eliminate" all of the botnets using Citadel. The goal is to "significantly disrupt" operations, making it "riskier and more expensive for the cybercriminals to continue doing business," Microsoft said.

The problem remains, because the criminals will just move the Citadel code from one place to another, Jason Steer, EMEA product manager at FireEye, told SecurityWeek. "The worry is that there are hundreds, if not thousands, of other Citadel and Zeus variants in the wild and so the threat posed to online banking users is only marginally reduced by this takedown," Steer said.

Citadel had keylogging capabilities, which enabled cybercriminals to intercept the victim's account credentials for online banking and other sensitive websites. This meant criminals could easily withdraw money from bank accounts or steal personal identities.

The botnets combined were responsible for over half a billion dollars in financial fraud and affected more than five million people in over 90 ninety countries, Microsoft said. Countries with the highest number of infections were the United States, Europe, Hong Kong, Singapore, India, and Australia.

"The harm done by Citadel shows the threat that botnets, malicious software, and piracy pose to individuals and businesses around the world," said Brad Smith, Microsoft general counsel and executive vice-president of Legal and Corporate Affairs.

Microsoft also provided information about the botnet operations to Computer Emergency Response Teams in other countries so that they could take action on additional command-and-control infrastructure within their borders. The FBI also provided information to its foreign law enforcement counterparts.

"We will use the intelligence gained from this operation to work against the international criminal enterprises conducting these operations, thereby helping to make the Internet safer for people and businesses worldwide," McFeely said.

Victims need to remove the Citadel malware from their computers as soon as possible to ensure they don't wind up with additional security issues, Microsoft said. Microsoft will use the threat intelligence gathered during the seizure to work with internet service providers and CERTs to notify users who have been infected. The information will be made available through its Cyber Threat Intelligence Program.

Microsoft's partners in the financial services industry included the Financial Services-Information Sharing and Analysis Center (FS-ISAC), NACHA-Electronic Payments Assocation, and the American Bankers Association. Agari, A10 Networks, and Nominum also worked with Microsoft and the Federal Bureau of Investigation in this effort.

The investigation began in early 2012, according to Microsoft. FS-ISAC performed forensics analysis on the terabytes of email data collected by Agari, and Nominum and A10 provided advanced networking capabilities.

"We must ensure that, as cyber policy is developed, the ability of the private sector to coordinate in real time with the FBI is encouraged so that a multi-prong attack on our cyber adversaries can be as effective as possible," McFeely said.

view counter
Fahmida Y. Rashid is a Senior Contributing Writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.