Oops. Microsoft takes down some researchers' servers along with Citadel botnet sites

When Microsoft took down Citadel botnets last week it disrupted the thieves who use the malware for stealing online banking information, but it also caused collateral damage by knocking out sinkhole servers used by researchers to figure out how best to combat the criminals, a Swiss researcher says.

The Microsoft/FBI operation seized more than 300 domain names that had been sinkholed by abuse.ch, a Swiss security blog, according to the latest blog on the Web site.

BACKGROUND:Microsoft, US feds disrupt Citadel botnet network 

ANALYSIS:Microsoft bot takedowns help, but are no cure 

BEHIND THE SCENES:Inside Microsoft botnet takedowns 

BOTNETS AS BUSINESS:World of botnet cybercrime paying pretty well these days 

"I was not only surprised but also quite disappointed: Microsoft already showed similar behavior in their operation against ZeuS last year where they seized thousands of ZeuS botnet domains, including several hundred domain names that were already sinkholed by abuse.ch," the blog's author says.

The sinkhole servers were used to gather information about computers that had been turned into botnet zombies so their owners could be notified via the Shadowserver Foundation a volunteer group - and the victims could take steps to clean their machines, according to the blog.  

"Since Citadel domain names previously sinkholed by abuse.ch have been grabbed by Microsoft, Shadowserver will not be able to report the IP addresses of infected clients calling home to these domains to the network owners anymore," the blog says.

Estimates by abuse.ch say that a quarter of the 4,000 botnet domains taken over by the Microsoft/FBI sting fall into the category of sinkholes. "Today, I've talked to several other sinkhole operators asking them about their experience with Microsoft," the blogger writes. "All of them confirmed to me that several dozens and for some operators even hundreds of Citadel domain names they had sinkholed have been seized by Microsoft as well."

In addition the Citadel takedowns will likely prompt criminals to come up with more creative ways to do their illegal business that are harder to block.

Both these criticisms have come up before after Microsoft takedowns, and are part of the complex strategy game the goes on between cybercriminals and organizations that are trying to shut them down.

For example, when Microsoft took down some Zeus botnets last year, it resulted in bot-herders changing their command and control infrastructure. Rather than having compromised machines report back to a single command and control server, they set up a complex peer-to-peer C&C server architecture that is more difficult to dismantle, a security expert said at the time. "Adversaries will study how Microsoft did this and create ways to get around it in the future," John Pironti, president of IP Architects, LLC., said about the Zeus takedown. "They'll change their methods and practices and won't make the same mistake twice."

The abuse.com blogger comes to the conclusion that Microsoft's effort was more for show than for actually solving the Citadel problem. "According to Microsoft, their goal was to disturb Citadel botnet operations. In my opinion their operation didn't have any big noteworthy impact on Citadel, rather than disturbing research projects of several security researchers and non-profit organizations, including abuse.ch. In my opinion, operation b54 was nothing more than a PR campaign by Microsoft."

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at tgreene@nww.com and follow him on Twitter@Tim_Greene.

Read more about wide area network in Network World's Wide Area Network section.

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurityanti-malwarefbiWide Area Network

More about CitadelFBIMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts