FBI and Microsoft in massive takedown of "Citadel" crimeware

Filed Under: Botnet, Featured, Law & order, Malware, Microsoft

Microsoft just announced the successful disruption of 1462 Citadel botnets, thanks to a co-ordinated effort between numerous organisations in the private sector and the US Federal Bureau of Investigation (FBI).

You read that correctly: 1462 botnets.

→ A botnet is a collection of malware-infected computers known as bots or zombies. The zombies in a botnet can simultaneously and remotely be commanded by a cybercriminal, known as the botmaster, to do bad stuff. This includes sending out spam, logging everything typed in order to steal passwords, or attacking other people's websites.

Not a botnet of 1462 computers, but 1462 separate botnets.

The reason that one malware family, Citadel, could end up responsible for so many distinct cybercrime operations is that Citadel isn't just malware.

Citadel is what's called a crimeware kit, which you can lease or buy to build your own crooked province in the cybercriminal underworld.

You don't need to know how to write your own malware, or even how to host it, because cybercrooks are keen proponents of the cloud, providing Malware-as-a-Service to other budding crooks who want their own piece of botnet action.

The takedown

Microsoft's writeup of how the botnets were nobbled is understandably lacking in detail, not least because this is just the start of the counterstrike against the crooks.

Generally speaking, however, botnets rely on one or more command-and-control (C&C) servers from which infected computers download instructions on what to do next.

So identifying some or all of the C&C servers in a botnet operation and getting a court order to force them out of action can seriously cramp a cybercriminal operation.

If the crooks can't distribute the next course on their "menu" to the zombies in their botnet, then the botnet is essentially emasculated.

And that's what happened here: a co-ordinated takedown of C&C servers at two hosting companies in New Jersey and Pennsylvania.

Of course, this doesn't deal with the C&C servers outside the USA.

To help knock those on the head, Microsoft has distributed intelligence to Computer Emergency Response Teams (CERTs) in other countries.

The hope is that the CERTs will be able to act against Citadel C&C servers in their own jurisdictions.

What next?

As you will see in the SophosLabs analysis of Citadel, one of its features is programmable DNS redirection.

This means that infected computers can be fed a false map of the internet.

Not only might you be redirected to a fake copy of your usual banking website in place of the real thing, you might also be diverted away from security updates (and from security-related websites).

This makes it much more difficult to clean up your infection, thus giving the crooks even longer in covert control of your PC.

So, while we congratulate Microsoft, its many private-sector partners, and the FBI for taking on the cybercriminals, let's not forget the role that the rest of us can play here.

After all, there are two sides to dismantling a botnet: you can remove the "net" part (in other words, take down the C&C servers), and you can remove the "bot" part (in other words, clean up infected computers).

If we all do our bit to ensure that we aren't helping the crooks by allowing ourselves to be co-opted into a botnet in the first place, we'll cut off the source of their of ill-gotten gains.

, , , , , , ,

You might like

6 Responses to FBI and Microsoft in massive takedown of "Citadel" crimeware

  1. Laurence Marks · 446 days ago

    Duck wrote: "The zombies in a botnet can simultaneously and remotely be commanded by a cybercriminal, known as the botmaster,"

    That's a new one. Usually he's known as a "herder" or "bot herder."

  2. Garrett · 446 days ago

    Great article! Thanks for the background info.

    While it is nice to read about MS striking at the heart of a large number of botnets, its tough to stomach following the PRISM scandal that's unfolded over the past few days. I suppose I shouldn't scoff at MS fighting the good fight, but I remain skeptical.

  3. Dave · 445 days ago

    "If we all do our bit to ensure that we aren't helping the crooks by allowing ourselves to be co-opted into a botnet in the first place, we'll cut off the source of their of ill-gotten gains."

    Terrific wrap to the article, but what would have been even more impressive, is the provision of a link to a Sophos Guide to the steps that can be taken to do this.

    Fool! I hear you say. Purchase Sophos AV. Well I would, if it was available to home users;-)

  4. Marty · 439 days ago

    "After all, there are two sides to dismantling a botnet: you can remove the "net" part (in other words, take down the C&C servers), and you can remove the "bot" part (in other words, clean up infected computers)."

    What happens to the infected computers?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog