Microsoft criticized for botnet takedown tactics

Microsoft has come under fire for the recent takedown of the Citadel botnet, which some security researchers claim disrupted their legitimate operations while having no long-lasting impact on Internet security.

Last week, Microsoft announced that it had disrupted more than 1,400 botnets using the Citadel malware, which affected more than 5 million people worldwide. Microsoft called the action Operation b54.

The criminal operation distributed keylogging malware that recorded the victims' usernames and passwords when logging into banking and other web sites. Losses tied to Citadel exceeded $500 million, said Microsoft.

Citadel was the seventh Microsoft-led operation against botnets. While some researchers commend the company for causing financial pain to cybercriminals, other researchers see the operations as public relations stunts that run roughshod over their work to battle botnets.

A Swiss researcher in the nonprofit organization said in a recent blog post that roughly a quarter of the 4,000 domain names seized by Microsoft and redirected to its server were actually pointed to the systems of researchers gathering information on Citadel.

"In my opinion, [Microsoft's] operation didn't have any big noteworthy impact on Citadel, rather than disturbing research projects of several security researchers and non-profit organizations, including," the unidentified researcher said. "In my opinion, Operation b54 was nothing more than a PR campaign by Microsoft."

Infected computers in a botnet use the domain names in communicating with command-and-control (C&C) servers that send back configuration files containing many settings, such as where to send stolen data. Researchers will often seize the domain names and redirect the infected computers to their servers, called sinkholes, to study the botnet.

[Also see: Latest Citadel scam sophisticated -- except for the grammar]

In the case of, the information it gathers is handed over to another nonprofit research firm called the Shadowserver Foundation. The latter organization sends the information it receives from researchers to more than 1,500 organizations and 60 national Community Emergency Response Teams.

The data gathered by researchers include the IP addresses of infected systems. This is particularly important because organizations associated with Shadowserver can check whether any of the systems are on their networks.

Microsoft said it plans to send information from its sinkholes to "key researchers," such as Shadowserver, so victims can be notified and their computers cleaned of malware.

"As stated from the outset, the goal of this operation was to protect the public by strategically disrupting Citadel's operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business," said Richard Boscovich, assistant general counsel for Microsoft Digital Crimes Unit, on Wednesday.

Also irking some researchers are configuration files Microsoft sends to the computers of victims trapped in a botnet. In the case of Citadel, the files notified victims their systems were infected and freed the computers to download anti-virus software to remove the malware. Within the configuration files distributed by the botnet operators was a module preventing infected computers from downloading antivirus applications.

While supporting Microsoft's operation in general, Chester Wisniewski, a senior security adviser for Sophos, said some security pros are against any vendor modifying a person's computer without permission, even if the intention is good. "For some of the more hardcore security research people, that's a very dangerous precedent to set," he said.

Boscovich argued that Microsoft did not change victims' computers, but rather brought them back to the state they were in before the infection. In addition, the federal court order that permitted Microsoft and the Federal Bureau of Investigation to disrupt the botnet also allowed the company to distribute configuration files to any infected computer checking into the "U.S.-based command and control structure for Citadel under the court's jurisdiction."

"For command-and-control infrastructure in other countries, we have relied on the voluntary assistance of CERTs in each country to determine the appropriate approach, pursuant to local law and considerations," Boscovich said.

Rather than flashy botnet takedowns, some researchers believe stronger laws; tougher enforcement and designing security within the application, network and operating system layers of a computer would be more effective.

Microsoft's strategy of seizing domain names to disrupt botnets can lead to cybercriminals taking more damaging action, according to the researcher. For example, in 2011 when researchers were aggressively shutting down the command-and-control domains of the ZeuS-Licat, also known as the Muorfet, botnet, the operators switched to a peer-to-peer architecture to distribute commands to infected systems.

Such an architecture made the botnet traffic harder to detect on the networks of Internet service providers and even harder to block, the blog said.

While experts agree that Microsoft damaged the Citadel botnet, they also say the operators will be back. "This is a big blow to the criminals, but it certainly isn't going to put them out of business," Wisniewski said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationsData Protection | MalwareMicrosoftlegalCitadelsoftwaredata protectioncybercrime

More about CitadelFederal Bureau of InvestigationMicrosoftSophos

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts