Was Microsoft’s takedown of Citadel effective?

Was Microsoft's takedown of Citadel effective?

As we mentioned last week, Microsoft recently fought back against more than 1,400 Citadel botnets by sinkholing their Command and Control (C&C) infrastructure.

SophosLabs has been monitoring Citadel for some time, including individual botnets such as those targeting Canadian institutions, so I decided to take a closer look at the impact of the takedown.

I took a snapshot of the active Citadel botnets we are currently seeing and cross-referenced 72 C&C servers with the list published by Microsoft.

Then, I verified where the DNS records of those servers were now pointing.

Citadel domains

Worryingly, I found that 51% of the 72 domains analysed did not appear in Microsoft’s published list.

A more worrying 20% of the Citadel domains were on Microsoft’s list but were not ending up at the sinkhole.

This implies either that the sinkholing was unsuccessful or that the domains have already been re-appropriated by the Citadel botnet owners.

Furthermore, as described by Swiss researchers at abuse.ch, Microsoft has caused the same sort of collateral damage as in its last Zeus botnet takedown.

As well as sinkholing the Zeus malware servers, Microsoft also knocked out many servers that belonged to security researchers and provided a valuable service to the public by notifying system administrators that they had infected computers on their network.

Like its father Zeus, Citadel connects to its C&C servers to receive instructions in the form of a configuration file.

This file contains many settings including where to send the stolen data, what extra code to inject into certain webpages, and includes a module designed to redirect DNS requests from the infected computer.

This module is often used to redirect requests to security websites, meaning the infected computer cannot download anti-virus updates or access security tools to remove the infection.

In this takedown operation, Microsoft actually configured its sinkhole servers to push a new configuration file to infected computers:

Screenshot of configuration file

The goal of this file is to ensure infected computers are no longer blocked from reaching security software websites so they are now able to remove the malware.

Other sinkhole operations have stopped short of pushing out new configurations to infected bots, probably for legal reasons.

Clearly, Microsoft has been more aggressive; let’s hope there are no complications as a result.

Takedown efforts such as this can provide immediate benefit to the public by effectively disabling the control channels used to administer a very dangerous piece of malware.

However, the long-term affect of this particular takedown on Citadel is unlikely to be significant: it looks as though many of the botnets weren’t knocked out, and rebuilding those that were taken down will not take long.

Concerns remain over Microsoft’s methods, in terms of collateral damage and contravention of local law.