Microsoft torpedoes Citadel botnet infrastructure

Share this article:

A botnet infrastructure believed responsible for stealing more than a half-billion dollars from individuals and organizations worldwide has been crippled, Microsoft announced Wednesday evening.

Codenamed Operation b54, the takedown severed connections between some 1,400 Citadel botnets and the individual computers under their control. On the back of a seizure warrant ordered by U.S. District Court in Charlotte, N.C. in response to a lawsuit it filed, Microsoft cut off communication between the command-and-control servers and infected computers.

In addition, the software giant, assisted by the U.S. Marshals Service, "seized data and evidence from the botnets, including computer servers from two data hosting facilities in New Jersey and Pennsylvania," the company said in a news release. Microsoft also alerted computer emergency response teams (CERTs) in other countries so they can initiate their own efforts.

Citadel, described as a sophisticated cousin of the Zeus trojan, typically targets computers to steal financial information, such as bank account credentials. The crooks then use that information to login to victims' bank accounts and wire out money, to the tune of an estimated half-billion dollars.

Citadel is difficult to remove, as well. Its functionality includes blocking victims from visiting anti-virus websites where they would go to remove infections from their machines.

Richard Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, said in a statement that the dismantling won't put an end to Citadel because it is large and complex, but it will help. The company is working with internet service providers and CERTs globally to help affected computer owners purge Citadel. It's believed some five million people have been affected by the trojan across a number of countries.

"[W]e do expect that this action will significantly disrupt Citadel's operation, helping quickly release victims from the threat and making it riskier and more costly for the cyber criminals to continue doing business," Boscovich said.

This is the seventh botnet disruption operation Microsoft has led. Previous takedown efforts were directed at Rustock, Waledac, Zeus and Kelihos. The FBI, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and NACHA – The Electronic Payments Association assisted Microsoft in its undertaking.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.