A team of industry and law-enforcement partners—including Microsoft, the Federal Bureau of Investigation and financial firms—have successfully disrupted a collection of botnets running on the Citadel Trojan, freeing more than 1.2 million computers from the control of cyber-criminals, Microsoft’s Digital Crimes Unit said this week.
On June 6, Microsoft announced that it had executed its seventh operation against botnet operators, aiming to significantly disrupt a collection of nearly 1,500 botnets running on the Citadel Trojan. Normally, computers compromised with Citadel would attempt to connect to certain domains and receive orders, but Microsoft and computer emergency response teams around the world redirected many of those domains.
The domains that Microsoft gained control of through a court order were redirected, or “sinkholed,” to company-controlled infrastructure, which Microsoft monitors to gauge the size of the botnets.
In the first week, more than 1.2 million unique IP addresses connected more than 178 million times to the sinkhole servers, Richard Boscovich, assistant general counsel of Microsoft’s Digital Crimes Unit, told eWEEK. While gauging how many infected computers are behind each Internet address is difficult, Microsoft estimates that 1.2 million is the minimum.
“That is a very conservative number,” he said. “We feel that is the minimum number of computers that we have liberated. There could be multiple computers using one IP; if so, then it could be a larger number,” Boscovich said.
Microsoft has indications that as many as 2 million computers may be reporting to the company-controlled sinkhole, but that number is less certain, he said.
The takedown continues Microsoft’s private war against botnet operators. Starting with Waledac in March 2010, the company has partnered with other technology firms to gather data on a variety of botnets, built civil cases against the botnet operators, and then seized the domains and command-and-control servers of those operators.
After Waledac, the company targeted Rustock, Kelihos, Zeus, Nitol and Bamital. The takedowns have all been successful at disrupting the cyber-criminals’ botnet operations, at least for some time. For example, Microsoft managed in March 2011 to completely take down the Rustock botnet, which resulted in a massive drop in the amount of spam sent out to the Internet.
In the latest takedown, Microsoft gathered intelligence on the Citadel botnets by working with Agari, a company that tracks phishing emails sent to customers from malicious botnet campaigns. The company would report the malicious URLs to Microsoft to allow them to focus on the latest incarnation of the Citadel botnets, Patrick Peterson, CEO of Agari, told eWEEK.
“During the course of our investigation, we were feeding them 2.5 million malicious Citadel URLs every month,” Peterson said. “This would be an email that pops up in a consumer’s email inbox and tries to get them to click. And when you click, it starts the infection lifecycle.”
Following the seizure of key command-and-control servers and the redirection of the domains used by the botnets to communicate with infected computers, Microsoft has monitored the number of computers that connect to its sinkhole servers.
The company also reversed the blacklist and whitelist used by the Citadel Trojan, blocking infected systems from going to malicious command-and-control servers and allowing them to contact Microsoft’s servers to get security updates from their antivirus vendor.
“We think we had a pretty powerful impact on Citadel,” Boscovich said. “We still have some preliminary numbers, so we will keep watching, and we will also work a little bit closer with our partners overseas to get an idea of what they are seeing.”