Categories: PCSecurityWorkspace

Microsoft Removes Million PCs From Citadel Botnet Clutches

Microsoft’s botnet purge continues after its Digital Crimes Unit revealed that it, along with the FBI and financial firms – have successfully disrupted a collection of botnets running on the Citadel Trojan.

It revealed that more than 1.2 million computers have been freed from the control of cybercriminals.

Conservative Numbers

On 6 June, Microsoft announced that it had executed its seventh operation against botnet operators, aiming to significantly disrupt a collection of nearly 1,500 botnets running on the Citadel Trojan. Normally, computers compromised with Citadel would attempt to connect to certain domains and receive orders, but Microsoft and computer emergency response teams around the world redirected many of those domains.

The domains that Microsoft gained control of through a court order were redirected, or “sinkholed,” to company-controlled infrastructure, which Microsoft monitors to gauge the size of the botnets.

In the first week, more than 1.2 million unique IP addresses connected more than 178 million times to the sinkhole servers, Richard Boscovich, assistant general counsel of Microsoft’s Digital Crimes Unit, told eWEEK. While gauging how many infected computers are behind each Internet address is difficult, Microsoft estimates that 1.2 million is the minimum.

“That is a very conservative number,” he said. “We feel that is the minimum number of computers that we have liberated. There could be multiple computers using one IP; if so, then it could be a larger number.”

Microsoft has indications that as many as 2 million computers may be reporting to the company-controlled sinkhole, but that number is less certain, Boscovich said.

Botnet Takedown

The takedown continues Microsoft’s private war against botnet operators. Starting with Waledac in March 2010, the company has partnered with other technology firms to gather data on a variety of botnets, built civil cases against the botnet operators, and then seized the domains and command-and-control servers of those operators.

After Waledac, the company targeted Rustock, Kelihos, Zeus, Nitol and Bamital. The takedowns have all been successful at disrupting the cyber-criminals’ botnet operations, at least for some time. For example, Microsoft managed in March 2011 to completely take down the Rustock botnet, which resulted in a massive drop in the amount of spam sent out to the Internet.

In the latest takedown, Microsoft gathered intelligence on the Citadel botnets by working with Agari, a company that tracks phishing e-mails sent to customers from malicious botnet campaigns. The company would report the malicious URLs to Microsoft to allow them to focus on the latest incarnation of the Citadel botnets, Patrick Peterson, CEO of Agari, told eWEEK.

“During the course of our investigation, we were feeding them 2.5 million malicious Citadel URLs every month,” Peterson said. “This would be an email that pops up in a consumer’s email inbox and tries to get them to click. And when you click it starts the infection lifecycle.”

Following the seizure of key command-and-control servers and the redirection of the domains used by the botnets to communicate with infected computers, Microsoft has monitored the number of computers that connect to its sinkhole servers.

The company also reversed the black list and white list used by the Citadel Trojan, blocking infected systems from going to malicious command-and-control servers and allowing them to contact Microsoft’s servers to get security updates from their antivirus vendor.

“We think we had a pretty powerful impact on Citadel,” Boscovich said. “We still have some preliminary numbers, so we will keep watching, and we will also work a little bit closer with our partners overseas to get an idea of what they are seeing.”

What do you know about Internet security? Find out with our quiz!

Originally published on eWeek.

Robert Lemos

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Recent Posts

Spyware Maker NSO Group Found Liable In US Court

Landmark ruling finds NSO Group liable on hacking charges in US federal court, after Pegasus…

2 days ago

Microsoft Diversifying 365 Copilot Away From OpenAI

Microsoft reportedly adding internal and third-party AI models to enterprise 365 Copilot offering as it…

2 days ago

Albania Bans TikTok For One Year After Stabbing

Albania to ban access to TikTok for one year after schoolboy stabbed to death, as…

2 days ago

Foldable Shipments Slow In China Amidst Global Growth Pains

Shipments of foldable smartphones show dramatic slowdown in world's biggest smartphone market amidst broader growth…

2 days ago

Google Proposes Remedies After Antitrust Defeat

Google proposes modest remedies to restore search competition, while decrying government overreach and planning appeal

2 days ago

Sega Considers Starting Own Game Subscription Service

Sega 'evaluating' starting its own game subscription service, as on-demand business model makes headway in…

2 days ago