Microsoft just announced the successful disruption of 1462 Citadel botnets, thanks to a co-ordinated effort between numerous organisations in the private sector and the US Federal Bureau of Investigation (FBI).
You read that correctly: 1462 botnets.
→ A botnet is a collection of malware-infected computers known as bots or zombies. The zombies in a botnet can simultaneously and remotely be commanded by a cybercriminal, known as the botmaster, to do bad stuff. This includes sending out spam, logging everything typed in order to steal passwords, or attacking other people’s websites.
Not a botnet of 1462 computers, but 1462 separate botnets.
The reason that one malware family, Citadel, could end up responsible for so many distinct cybercrime operations is that Citadel isn’t just malware.
Citadel is what’s called a crimeware kit, which you can lease or buy to build your own crooked province in the cybercriminal underworld.
You don’t need to know how to write your own malware, or even how to host it, because cybercrooks are keen proponents of the cloud, providing Malware-as-a-Service to other budding crooks who want their own piece of botnet action.
Microsoft’s writeup of how the botnets were nobbled is understandably lacking in detail, not least because this is just the start of the counterstrike against the crooks.
Generally speaking, however, botnets rely on one or more command-and-control (C&C) servers from which infected computers download instructions on what to do next.
So identifying some or all of the C&C servers in a botnet operation and getting a court order to force them out of action can seriously cramp a cybercriminal operation.
If the crooks can’t distribute the next course on their “menu” to the zombies in their botnet, then the botnet is essentially emasculated.
And that’s what happened here: a co-ordinated takedown of C&C servers at two hosting companies in New Jersey and Pennsylvania.
Of course, this doesn’t deal with the C&C servers outside the USA.
To help knock those on the head, Microsoft has distributed intelligence to Computer Emergency Response Teams (CERTs) in other countries.
The hope is that the CERTs will be able to act against Citadel C&C servers in their own jurisdictions.
As you will see in the SophosLabs analysis of Citadel, one of its features is programmable DNS redirection.
This means that infected computers can be fed a false map of the internet.
Not only might you be redirected to a fake copy of your usual banking website in place of the real thing, you might also be diverted away from security updates (and from security-related websites).
This makes it much more difficult to clean up your infection, thus giving the crooks even longer in covert control of your PC.
So, while we congratulate Microsoft, its many private-sector partners, and the FBI for taking on the cybercriminals, let’s not forget the role that the rest of us can play here.
After all, there are two sides to dismantling a botnet: you can remove the “net” part (in other words, take down the C&C servers), and you can remove the “bot” part (in other words, clean up infected computers).
If we all do our bit to ensure that we aren’t helping the crooks by allowing ourselves to be co-opted into a botnet in the first place, we’ll cut off the source of their of ill-gotten gains.
by Paul Ducklin