In its most ambitious botnet takedown to date, Microsoft cooperated with major financial industry groups, technology partners and the FBI to disrupt the operations of more than a thousand botnets running on a common crimeware platform and responsible for at least $500 million in consumer and business losses.
On June 5, accompanied by U.S. Marshals, Microsoft technicians seized servers at two data centers in New Jersey and Pennsylvania, and with the help of the FBI, coordinated with computer emergency response teams and registrars in 87 countries to sinkhole domains used by the 1,452 botnets built on the Citadel malware. The coordinated action, announced by Microsoft and the FBI, aimed to shut down the ability of criminals to use the Citadel bot software to continue to steal information and money from the estimated 2 million to 5 million users and businesses whose systems are infected by the malware.
"I think it will be a very, very aggressive and disruptive action–it's a full takedown," Richard Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit, told eWEEK. "We'd love to say we get 100 percent, a kill shot like with Rustock, but given the number of bots involved and the complexity and logistics, we think we will be successful if we have a good, disruptive action driving up their cost of doing business."
The takedown of the Citadel botnet is Microsoft's seventh operation against bot operators and their infrastructure. Starting with Waledac in March 2010, the software giant has gathered data on a variety of botnets and built civil cases against the criminal bot operators. Then, through coordinated actions with partners, the company has disrupted the operations of those botnets. While most botnets have been resurrected in some form by the criminals groups running them, Microsoft managed in March 2011 to completely take down the Rustock botnet, which stopped sending out spam altogether.
"When you take away that many computers and infrastructure, there is a cost associated with that, and that has always been our objective," Microsoft's Boscovich said. "Just having to re-infect people is going to be harder and harder."
Last week, Microsoft filed a civil suit in the Western District of North Carolina against the unknown operators of the various Citadel botnets. A number of financial services groups, including the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the electronic payments association NACHA, contributed research and supporting statements to the case.
While the FBI has previously not officially involved itself in any previous cases, the U.S. law-enforcement agency helped Microsoft's civil action by contacting its law-enforcement counterparts in other countries and obtaining search warrants for the domestic seizure of computers related to the botnets, according to an FBI statement issued June 5.
"Creating successful public-private relationships—in which tools, knowledge and intelligence are shared—is the ultimate key to success in addressing cyber-threats and is among the highest priorities of the FBI," Richard McFeely, the executive assistant director of the FBI's Criminal, Cyber, Response and Services Branch, said in the statement. "We must ensure that, as cyber-policy is developed, the ability of the private sector to coordinate in real time with the FBI is encouraged so that a multi-prong attack on our cyber-adversaries can be as effective as possible."
Email security services firm Agari and domain-name service firm Nominum both aided in the investigation and the response to the Citadel botnets.
Microsoft and its partners will intercept, or sinkhole, Citadel communications from the infected consumer and business computers as part of its efforts to disrupt the botnets. The company plans to release updated information on the size and scope of the botnets in coming weeks.