Microsoft not sorry for swallowing researchers' work in Citadel takedown

Microsoft struck down over 1,400 Citadel networks in its seventh botnet takedown to date

A quarter of the Citadel botnet’s 4,000 command and control domains that Microsoft seized last week in “operation b54” were actually being used by researchers to combat the botnet and others like it, according to a security researcher.

Microsoft struck down over 1,400 Citadel networks in its seventh botnet takedown to date. Sanctioned by a court order, it seized data at two hosts in the US and laid claim to 4,000 domains it said were used for “controlling, maintaining and growing” the botnet.

All of the domains were once malicious, but, Roman Huessy, a botnet hunter and researcher at Swiss security site, claims that 1,000 of them were actually harmless, “sinkholed” domains.

Worse, Microsoft’s “PR campaign” that was Operation b54 ruined a source of live infection data for the Shadowserver Foundation, a volunteer-based botnet fighting group that distributes threat data to over 1,500 network operators and around 70 computer emergency response teams (CERTs).

“Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by a while ago,” Huessy reported on Friday.

Heussy himself lost 300 domains in his Citadel sinkhole, while other researchers affected by the takedown lost around 700 other domains. The domains now point to Microsoft’s own sinkhole.

Sinkholing is a technique security experts use to gather information about infected PCs that attempt to connect to domains a botnet uses to control a network of zombies. Traffic to domains that have been sinkholed are redirected to a server outside of the botnet operator’s control.

Researchers like Huessy share that data with Shadowserver, which then distributes it to CERTs and network operators that can use that data to clean up a threat.

“Shadowserver will no longer be able to inform network owners about several thousand Citadel infected computers because the Citadel domain names sinkholed by has been seized by Microsoft,” Huessy noted.

Shadowserver has also confirmed its operations were impacted by Microsoft’s action. Spokesperson for the foundation Claudio Guarnieri told CSO Australia that while Microsoft’s action was “laudable” its failure to communicate with other researchers is a problem.

“The large seizure of domains being already sinkholed by third parties like definitely affected our operations: we observed a sudden drop on the number of infected IP addresses that we were previously able to report to our consumers. We are still seeing those numbers steadily decline,” said Guarnieri.

“Microsoft clearly is fighting on the good side and it's laudable that they're so active taking action against the bad guys. However, there should be a better communication and coordination with organizations such as Shadowserver, and the larger community, which have been doing an outstanding work for the public that should not stop or be affected.”

Microsoft: research should be more than observation

Microsoft makes no apologies for seizing the previously sinkholed domains, and justifies its actions on the basis that security research should go beyond mere observation.

“The security research community is doing important work on monitoring the Citadel botnet and other malware variants in the wild. Many researchers agree that the goal of research should not just be in the observation itself, but in application to help protect the public from the threat cybercrime poses,” a Microsoft spokesperson said in a statement to CSO Ausrralia.

“The researchers who provided information for use in this operation did so because of their commitment to the application of research to help people on the internet, and their willingness to share this information is a testament to their dedication.

“Microsoft and its partners continue to capture valuable information and evidence as a result of this operation, and we remain committed to working with the community to provide intelligence uncovered in our investigations so that the whole industry can better respond collectively to these threats.”

But as Huessy stressed, the sinkhole that Microsoft steamrolled in its Citadel takedown was not just for observation and was being actively used to combat infections.

Similar to Shadowserver, Microsoft has its own infection notification program called the Cyber Threat Intelligence Program (C-TIP), under which it emails daily figures on recent malware infections to 44 ISPs and CERTs in 38 countries.

Both Shadowserver and Microsoft notify ISPs and CERTs, however, according to Huessy, Shadowserver also provides the information to network owners, including major corporations, which are in a better position to clean up infections immediately.

“Network owners are able to get the data to the right people quickly,” said Huessy. “Shadowserver has much a larger footprint than Microsoft when it comes to reporting infected computers to the responsible parties based on the numbers I have.”

“Most companies and network owners have automated the process of grabbing the Shadowserver drone feed and feed it directly into their system, which then for example, automatically sends out a mail to the responsible customer and/or locks the customers internet account.”

So was Microsoft’s Citadel takedown a PR stunt?

Microsoft has clearly stepped up its campaign against botnets in the three years since its first “legal-technical” takedown of the Waledac botent in 2011 but it has faced criticism along the way for allegedly using the operations to promote its own business.

A week prior to the announcing the takedown it also launched an Azure cloud-hosted version of C-TIP that updates every 30 seconds and Microsoft has said the intelligence it gained in the Citadel operation will be shared with participants of C-TIP. The company has also been encouraging CERTs around the world to sign up to the system, which distributes infection data to each organisation’s private cloud, hosted on non-other than Azure.

The Microsoft spokesperson claims it will not specifically use the domains it seized in C-TIP and that it is not charging for the data in C-TIP “at this time” -- bar the cost of setting up an Azure account.

“The information available in C-TIP is not domain names, but rather IP addresses of botnet malware victims in order to help facilitate clean-up efforts with ISPs and CERTs to help victims remove the malware from their computers.”

“Microsoft will be making the Citadel information available through its Cyber Threat Intelligence Program (C-TIP), including the recently-announced cloud-based version of the program. At this time, Microsoft provides its botnet threat intelligence data to CERTs and ISPs at no cost.”

“If CERTs and ISPs would like to participate in the cloud-based program, they will need to provision cloud storage resources in Windows Azure.”

As for claims Operation b54 was just a PR campaign, Microsoft had this to say:

“Microsoft and the FBI worked with law enforcement and others around the world in the execution of this disruption operation in order to help protect victims from the ongoing harm they were facing from Citadel on a daily basis.

As stated from the outset, the goal of this operation was to protect the public by strategically disrupting Citadel’s operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business.

As we have done in prior botnet operations, Microsoft is now able to use the intelligence gained from this operation to partner with ISPs and CERTs around the world to help rescue people’s computers from the control of Citadel, helping to reduce the size of the ongoing threat that these botnets pose and make the Internet safer for consumers and businesses worldwide.”

Join the CSO newsletter!

Error: Please check your email address.

Tags Microsoftsecurity

More about CitadelCSOFBIMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place