Microsoft And FBI Hit 1,500 Citadel Botnets

More than a thousand botnets running the Citadel banking malware, earning the operators over $500 million, have been disrupted as a result of a collaborative investigation involving Microsoft and the FBI.

But security experts believe Citadel, one of the most prevalent pieces of financial malware, will continue to cause plenty of strife for online bankers.

Microsoft said upwards of five million people have been affected by Citadel, which carries out keylogging on victims’ machines to pick up bank account logins.

As with previous Microsoft-led botnet shutdowns, the tech titan received permission from a US court to cut off communication between botnets – in this case 1,462 Citadel botnets – and the millions of infected computers under their control.

Citadel botnets will live on

Microsoft, accompanied by law enforcement marshals, seized computer servers from two data hosting facilities in New Jersey and Pennsylvania on 5 June.

International Computer Emergency Response Teams (CERTs) have been informed of the action and “could take action at their discretion on additional command and control infrastructure for the botnets located outside of the US”.

Microsoft admitted the action won’t kill off Citadel, due to the “size and complexity of the threat”. “However, it is expected that this action will significantly disrupt the botnets’ operation, making it riskier and more expensive for the cyber criminals to continue doing business and allowing victims to free their computers from the malware,” it said.

Others agree Citadel, which is based off the better-known Zeus malware, will carry on stealing money from banks. Jason Steer, EMEA product manager at security firm FireEye, told TechWeekEurope the Citadel code “will simply move from one place to another, temporarily reducing the threat from this variant”.

“The worry is that there are hundreds, if not thousands, of other Citadel and Zeus variants in the wild and so the threat posed to online banking users is only marginally reduced by this takedown,” Steer added.

“Today, hackers using sophisticated malware to execute APT attacks are able to maintain their presence through more advanced means.

“For instance, we are now seeing evidence of C&C servers on high-profile public forums such as Google+, Twitter and Yahoo, which means that takedowns of this nature are very difficult to achieve.”

Rik Ferguson, director of security research and communication for Trend Micro, added: “I have seen headlines along the lines of ‘cyber crime ring takedown’ and that is definitely not what this is. Citadel is commercial off-the-shelf malware, an offshoot of the ZeuS source code. So whilst the removal of criminal infrastructure is a good thing, it certainly isn’t an end to Citadel or even the criminals behind this specific operation.”

What do you know about Internet security? Find out with our quiz!