Was Microsoft's takedown of Citadel effective?

Filed Under: Botnet, Featured, Law & order, Malware, Microsoft, Organisations, Security threats, SophosLabs

As we mentioned last week, Microsoft recently fought back against more than 1,400 Citadel botnets by sinkholing their Command and Control (C&C) infrastructure.

SophosLabs has been monitoring Citadel for some time, including individual botnets such as those targeting Canadian institutions, so I decided to take a closer look at the impact of the takedown.

I took a snapshot of the active Citadel botnets we are currently seeing and cross-referenced 72 C&C servers with the list published by Microsoft.

Then, I verified where the DNS records of those servers were now pointing.

Citadel domains

Worryingly, I found that 51% of the 72 domains analysed did not appear in Microsoft's published list.

A more worrying 20% of the Citadel domains were on Microsoft's list but were not ending up at the sinkhole.

This implies either that the sinkholing was unsuccessful or that the domains have already been re-appropriated by the Citadel botnet owners.

Furthermore, as described by Swiss researchers at abuse.ch, Microsoft has caused the same sort of collateral damage as in its last Zeus botnet takedown.

As well as sinkholing the Zeus malware servers, Microsoft also knocked out many servers that belonged to security researchers and provided a valuable service to the public by notifying system administrators that they had infected computers on their network.

Like its father Zeus, Citadel connects to its C&C servers to receive instructions in the form of a configuration file.

This file contains many settings including where to send the stolen data, what extra code to inject into certain webpages, and includes a module designed to redirect DNS requests from the infected computer.

This module is often used to redirect requests to security websites, meaning the infected computer cannot download anti-virus updates or access security tools to remove the infection.

In this takedown operation, Microsoft actually configured its sinkhole servers to push a new configuration file to infected computers:

Screenshot of configuration file

The goal of this file is to ensure infected computers are no longer blocked from reaching security software websites so they are now able to remove the malware.

Other sinkhole operations have stopped short of pushing out new configurations to infected bots, probably for legal reasons.

Clearly, Microsoft has been more aggressive; let's hope there are no complications as a result.

Takedown efforts such as this can provide immediate benefit to the public by effectively disabling the control channels used to administer a very dangerous piece of malware.

However, the long-term affect of this particular takedown on Citadel is unlikely to be significant: it looks as though many of the botnets weren't knocked out, and rebuilding those that were taken down will not take long.

Concerns remain over Microsoft's methods, in terms of collateral damage and contravention of local law.


, , ,

You might like

2 Responses to Was Microsoft's takedown of Citadel effective?

  1. john · 503 days ago

    other than microsoft i do not know what has given me the blue screen of death on my 6 month old acer windows 7 net book but i am not alone in this - two of my military friends say they are in the same boat , 1 has windows 7 and the other windows 8 - we live in ontario , canada.
    microsoft updates appear to have taken us out and we cannot undo whatever it is.
    my net book was all updated and secure besides i only look at a few conservative news sites - nothing that should make me part of any botnet and the anti-virus both comodo and defender showed no problems when i scanned with both before shutting down the last day i was able to use it.

  2. Erm, honestly, "51% of 72" does not really sound that meaningful.

    I know you want to look like you have stats and shizzle, but ... seriously?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

James Wyke is a Senior Threat Researcher with SophosLabs UK