A quarter of the Citadel botnet’s 4,000 command and control domains that Microsoft seized last week in “operation b54” were actually being used by researchers to combat the botnet and others like it, according to a security researcher.
Microsoft struck down over 1,400 Citadel networks in its seventh botnet takedown to date. Sanctioned by a court order, it seized data at two hosts in the US and laid claim to 4,000 domains it said were used for “controlling, maintaining and growing” the botnet.
All of the domains were once malicious, but, Roman Huessy, a botnet hunter and researcher at Swiss security site abuse.ch, claims that 1,000 of them were actually harmless, “sinkholed” domains.
Worse, Microsoft’s “PR campaign” that was Operation b54 ruined a source of live infection data for the Shadowserver Foundation, a volunteer-based botnet fighting group that distributes threat data to over 1,500 network operators and around 70 computer emergency response teams (CERTs).
“Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by abuse.ch a while ago,” Huessy reported on Friday.
Heussy himself lost 300 domains in his Citadel sinkhole, while other researchers affected by the takedown lost around 700 other domains. The domains now point to Microsoft’s own sinkhole.
Sinkholing is a technique security experts use to gather information about infected PCs that attempt to connect to domains a botnet uses to control a network of zombies. Traffic to domains that have been sinkholed are redirected to a server outside of the botnet operator’s control.
Researchers like Huessy share that data with Shadowserver, which then distributes it to CERTs and network operators that can use that data to clean up a threat.
“Shadowserver will no longer be able to inform network owners about several thousand Citadel infected computers because the Citadel domain names sinkholed by abuse.ch has been seized by Microsoft,” Huessy noted.
Shadowserver has also confirmed its operations were impacted by Microsoft’s action. Spokesperson for the foundation Claudio Guarnieri told CSO Australia that while Microsoft’s action was “laudable” its failure to communicate with other researchers is a problem.
“The large seizure of domains being already sinkholed by third parties like Abuse.ch definitely affected our operations: we observed a sudden drop on the number of infected IP addresses that we were previously able to report to our consumers. We are still seeing those numbers steadily decline,” said Guarnieri.
“Microsoft clearly is fighting on the good side and it's laudable that they're so active taking action against the bad guys. However, there should be a better communication and coordination with organizations such as Shadowserver, Abuse.ch and the larger community, which have been doing an outstanding work for the public that should not stop or be affected.”
Microsoft: research should be more than observation
Microsoft makes no apologies for seizing the previously sinkholed domains, and justifies its actions on the basis that security research should go beyond mere observation.
“The security research community is doing important work on monitoring the Citadel botnet and other malware variants in the wild. Many researchers agree that the goal of research should not just be in the observation itself, but in application to help protect the public from the threat cybercrime poses,” a Microsoft spokesperson said in a statement to CSO Ausrralia.
“The researchers who provided information for use in this operation did so because of their commitment to the application of research to help people on the internet, and their willingness to share this information is a testament to their dedication.
“Microsoft and its partners continue to capture valuable information and evidence as a result of this operation, and we remain committed to working with the community to provide intelligence uncovered in our investigations so that the whole industry can better respond collectively to these threats.”
But as Huessy stressed, the sinkhole that Microsoft steamrolled in its Citadel takedown was not just for observation and was being actively used to combat infections.
Similar to Shadowserver, Microsoft has its own infection notification program called the Cyber Threat Intelligence Program (C-TIP), under which it emails daily figures on recent malware infections to 44 ISPs and CERTs in 38 countries.
Both Shadowserver and Microsoft notify ISPs and CERTs, however, according to Huessy, Shadowserver also provides the information to network owners, including major corporations, which are in a better position to clean up infections immediately.
“Network owners are able to get the data to the right people quickly,” said Huessy. “Shadowserver has much a larger footprint than Microsoft when it comes to reporting infected computers to the responsible parties based on the numbers I have.”
“Most companies and network owners have automated the process of grabbing the Shadowserver drone feed and feed it directly into their system, which then for example, automatically sends out a mail to the responsible customer and/or locks the customers internet account.”
So was Microsoft’s Citadel takedown a PR stunt?
Microsoft has clearly stepped up its campaign against botnets in the three years since its first “legal-technical” takedown of the Waledac botent in 2011 but it has faced criticism along the way for allegedly using the operations to promote its own business.
A week prior to the announcing the takedown it also launched an Azure cloud-hosted version of C-TIP that updates every 30 seconds and Microsoft has said the intelligence it gained in the Citadel operation will be shared with participants of C-TIP. The company has also been encouraging CERTs around the world to sign up to the system, which distributes infection data to each organisation’s private cloud, hosted on non-other than Azure.
The Microsoft spokesperson claims it will not specifically use the domains it seized in C-TIP and that it is not charging for the data in C-TIP “at this time” -- bar the cost of setting up an Azure account.
“The information available in C-TIP is not domain names, but rather IP addresses of botnet malware victims in order to help facilitate clean-up efforts with ISPs and CERTs to help victims remove the malware from their computers.”
“Microsoft will be making the Citadel information available through its Cyber Threat Intelligence Program (C-TIP), including the recently-announced cloud-based version of the program. At this time, Microsoft provides its botnet threat intelligence data to CERTs and ISPs at no cost.”
“If CERTs and ISPs would like to participate in the cloud-based program, they will need to provision cloud storage resources in Windows Azure.”
As for claims Operation b54 was just a PR campaign, Microsoft had this to say:
“Microsoft and the FBI worked with law enforcement and others around the world in the execution of this disruption operation in order to help protect victims from the ongoing harm they were facing from Citadel on a daily basis.
As stated from the outset, the goal of this operation was to protect the public by strategically disrupting Citadel’s operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business.
As we have done in prior botnet operations, Microsoft is now able to use the intelligence gained from this operation to partner with ISPs and CERTs around the world to help rescue people’s computers from the control of Citadel, helping to reduce the size of the ongoing threat that these botnets pose and make the Internet safer for consumers and businesses worldwide.”