Microsoft just announced the successful disruption of 1462 Citadel botnets, thanks to a co-ordinated effort between numerous organisations in the private sector and the US Federal Bureau of Investigation (FBI).
You read that correctly: 1462 botnets.
→ A botnet is a collection of malware-infected computers known as bots or zombies. The zombies in a botnet can simultaneously and remotely be commanded by a cybercriminal, known as the botmaster, to do bad stuff. This includes sending out spam, logging everything typed in order to steal passwords, or attacking other people’s websites.
Not a botnet of 1462 computers, but 1462 separate botnets.
The reason that one malware family, Citadel, could end up responsible for so many distinct cybercrime operations is that Citadel isn’t just malware.
Citadel is what’s called a crimeware kit, which you can lease or buy to build your own crooked province in the cybercriminal underworld.
You don’t need to know how to write your own malware, or even how to host it, because cybercrooks are keen proponents of the cloud, providing Malware-as-a-Service to other budding crooks who want their own piece of botnet action.
Microsoft’s writeup of how the botnets were nobbled is understandably lacking in detail, not least because this is just the start of the counterstrike against the crooks.
Generally speaking, however, botnets rely on one or more command-and-control (C&C) servers from which infected computers download instructions on what to do next.
So identifying some or all of the C&C servers in a botnet operation and getting a court order to force them out of action can seriously cramp a cybercriminal operation.
If the crooks can’t distribute the next course on their “menu” to the zombies in their botnet, then the botnet is essentially emasculated.
And that’s what happened here: a co-ordinated takedown of C&C servers at two hosting companies in New Jersey and Pennsylvania.
Of course, this doesn’t deal with the C&C servers outside the USA.
To help knock those on the head, Microsoft has distributed intelligence to Computer Emergency Response Teams (CERTs) in other countries.
The hope is that the CERTs will be able to act against Citadel C&C servers in their own jurisdictions.
As you will see in the SophosLabs analysis of Citadel, one of its features is programmable DNS redirection.
This means that infected computers can be fed a false map of the internet.
Not only might you be redirected to a fake copy of your usual banking website in place of the real thing, you might also be diverted away from security updates (and from security-related websites).
This makes it much more difficult to clean up your infection, thus giving the crooks even longer in covert control of your PC.
So, while we congratulate Microsoft, its many private-sector partners, and the FBI for taking on the cybercriminals, let’s not forget the role that the rest of us can play here.
After all, there are two sides to dismantling a botnet: you can remove the “net” part (in other words, take down the C&C servers), and you can remove the “bot” part (in other words, clean up infected computers).
If we all do our bit to ensure that we aren’t helping the crooks by allowing ourselves to be co-opted into a botnet in the first place, we’ll cut off the source of their of ill-gotten gains.
6 comments on “FBI and Microsoft in massive takedown of “Citadel” crimeware”
Duck wrote: "The zombies in a botnet can simultaneously and remotely be commanded by a cybercriminal, known as the botmaster,"
That's a new one. Usually he's known as a "herder" or "bot herder."
Great article! Thanks for the background info.
While it is nice to read about MS striking at the heart of a large number of botnets, its tough to stomach following the PRISM scandal that's unfolded over the past few days. I suppose I shouldn't scoff at MS fighting the good fight, but I remain skeptical.
"If we all do our bit to ensure that we aren't helping the crooks by allowing ourselves to be co-opted into a botnet in the first place, we'll cut off the source of their of ill-gotten gains."
Terrific wrap to the article, but what would have been even more impressive, is the provision of a link to a Sophos Guide to the steps that can be taken to do this.
Fool! I hear you say. Purchase Sophos AV. Well I would, if it was available to home users;-)
Since you mentioned it… 🙂
Sophos for Mac is free for home use:
And if you grab Sophos's free UTM-for-home licence…
…then you can protect up to 50 devices, plus you get Sophos Anti-Virus for Windows free for up to 12 computers, too.
Thanks for the heads-up Paul.
"After all, there are two sides to dismantling a botnet: you can remove the "net" part (in other words, take down the C&C servers), and you can remove the "bot" part (in other words, clean up infected computers)."
What happens to the infected computers?