Microsoft, FBI Take Down Citadel Botnets

Malware Blamed for $500 Million in Fraud Losses Worldwide
Microsoft, FBI Take Down Citadel Botnets

Federal authorities, along with the Microsoft Digital Crimes Unit, the Financial Services Information Sharing and Analysis Center and other private-sector partners, say they have shut down more than 1,400 botnets responsible for spreading the Citadel malware that compromises online credentials and identities.

See Also: Evaluating Software Security Training Providers - A Buyers Guide

According to a June 5 blog posted by Microsoft, this takedown known as Operation b54 was the most aggressive botnet operation to date, and also involved assistance from the American Bankers Association, NACHA - The Electronic Payments Association, Agari, A10 Networks and Nominum.

"With a court ordered civil seizure warrant from the U.S. District Court for the Western District of North Carolina, Microsoft executed a simultaneous operation to disrupt more than 1,400 Citadel botnets which are responsible for over half a billion dollars in losses to people and businesses worldwide," writes Richard Domingues Boscovich, assistant general counsel of Microsoft Digital Crimes Unit.

Evidence Seized

On June 5, Microsoft reports, Operation b54 personnel, accompanied by U.S. Marshals, seized data and evidence, including computer servers, from data hosting facilities in New Jersey and Pennsylvania. Microsoft says it also shared information about the botnets' operations with international Computer Emergency Response Teams, which can deal with elements of the botnets outside U.S. jurisdiction.

Concurrently, the FBI informed foreign law enforcement agencies, so they can take appropriate actions in their countries.

FS-ISAC, NACHA, ABA and Agari all supported Microsoft's civil lawsuit by serving as declarants in the case. Additionally, Agari provided forensic data, and A10 Networks and Nominum offered technology solutions to help take down the botnets.

Citadel is a keylogging malware, which monitors and records keystrokes on infected computers. These keystrokes are reported back to fraudsters, who then have open access to the victims' online identities and accounts - including banking accounts. Microsoft says the Citadel keylogging malware has infected an estimated 5 million people in more than 90 countries worldwide.

This takedown is not related to the so-called Brobot botnet that's been linked to the distributed-denial-of-service attacks waged against U.S. banks since mid-September.

Operation Ongoing

Boscovich says Operation b54 is ongoing. "Due to Citadel's size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware. "However, we do expect that this action will significantly disrupt Citadel's operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business."

Attackers are enhancing their techniques. "During our investigation, we found that Citadel blocked victims' access to many legitimate anti-virus/anti-malware sites, making it so people may not have been able to easily remove this threat from their computer," Boscovich says.

Cybercriminals linked to these botnets use fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their bots. "This discovery showcases that, in addition to exercising safe online practices, like running updated and legitimate software and using firewall and antivirus protection, people also need to use modern versions of Windows software to better prevent malware, fraud and identify theft," Boscovich says.

This phenomenon is one Daniel Cohen, a phishing and malware researcher at security firm RSA, says is fueling botnet growth throughout the world. Outdated WordPress sites and blogs, primarily from the U.S., which attackers have compromised and taken over, are to blame for upticks in phishing attacks that are being waged worldwide [see Phishing: The Privatization of Trojans].

Microsoft's Trojan Takedowns

This Trojan takedown is not Microsoft's first. In March 2012, the Digital Crimes Unit initiated a similar takedown involving Zeus botnets. That effort, known as Operation B71, was lauded by Microsoft and the FS-ISAC as standing out as an industry first, where unique collaborative efforts between public and private entities resulted in the shuttering of a financial-fraud enterprise.

But critics said Microsoft's efforts, while commendable, weren't likely to have a long-term impact. Financial fraud expert Avivah Litan, a distinguished analyst for consultancy Gartner, said at the time: "I think it's good, but there are always going to be more and new ways criminals use to get in," she said, adding that relying on a single approach - even a successful one - is a set-up for failure.

Still, Microsoft stresses the critical role these types of public-private partnerships play in the future of cyber-attack takedowns. "Cooperation is the key to winning the fight against cybercrime," Boscovich writes. "Operation b54 serves as a real world example of how public-private cooperation can work effectively within the judicial system, and how 20th century legal precedent and common law principles dating back hundreds of years can be effectively applied toward 21st century cybersecurity issues."

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.