Security Advisor

Microsoft: 88 Percent of Citadel Botnet Malware Eliminated

Microsoft presented the updated figure during a discussion of private and public sector cooperation when battling cyber crime.

During a panel discussing the merits of public and private cybersecurity partnership, Microsoft said its takedown of the massive Citadel Botnet ring in June has halted 88 percent of malware that was spawned by the operation.

According to Richard Domingues Boscovich, a member of the Digital Crimes Unit and a player in the Citadel takedown, along with eliminating close to 90 percent of all Citadel botnets, 40 percent of computers that were found to be infected have been cleaned as of July 23.

Boscovich discussed that without the cooperation of other corporate and law enforcement agencies, a shutdown of a crime ring as large as the Citadel botnet operation would have been impossible.

"By combining our collective expertise and taking coordinated steps to dismantle the botnets, we have been able to significantly diminish Citadel's operation, rescue victims from the threat, and make it more costly for the cybercriminals to continue doing business," wrote Boscovich in a recent Microsoft blog post discussing the panel.  

The Citadel botnet takedown earlier this year was Microsoft's seventh team-up with fellow corporations, federal and international law enforcement agencies, and the operation helped to free 1.2 million computers under the control of malware. With the direct support of the U.S. Marshalls, Microsoft helped to remove servers used by the Citadel botmasters in U.S.-based datacenters. It is estimated that the ring was able to steal $500 million from U.S. and foreign banks, thanks to its vast network of infected systems.

While Microsoft is using this takedown as an example of how cooperation among the private and public sectors can work towards protecting the public from cyber crime, the action was not without its own controversy.

Shortly after the botnet takedown was announced, a Swiss security researcher said that during the operation, 4,000 domain names believed to be in the control of the botnet ring were seized and rerouted to  point to a Microsoft server to gain information on infected computers  -- a practice called "sinkholing".

However, the Swiss researcher said that among those 4,000 that were seized were some commercially operated sinkholes already being used by security firms to monitor the threat landscape.

"I was quite surprised about the result: Microsoft seized more than 300 domain names that where sinkholed by abuse.ch. I was not only surprised but also quite disappointed: Microsoft already showed similar behaviour in their operation against ZeuS last year were they seized thousands of ZeuS botnet domains, including several hundred domain names that were already sinkholed by abuse.ch," said the anonymous Swiss researcher.

And an additional unconfirmed report by a fellow anonymous security researcher said that 25 percent of  the domains seized during the operation were legitimately being operated by security firms.

This example shows that while there has been a larger push as of late from Microsoft to partner with others to battle cyber crime, the spirit of teamwork needs to be extended to the small researchers -- not just the large corporations and law enforcement agencies. However, with many independent researchers living in the shadows, bringing them into the fold may be impossible to do.

What's your take? Is the sweeping shutdown of these large botnet operations worth the cost of interfering with legitimate security research? Share your thoughts in the comments below.

About the Author

Chris Paoli is the site producer for Redmondmag.com and MCPmag.com.

comments powered by Disqus

Reader Comments:

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.