Microsoft torpedoes Citadel botnet infrastructure

A botnet infrastructure believed responsible for stealing more than a half-billion dollars from individuals and organizations worldwide has been crippled, Microsoft announced Wednesday evening.

Codenamed Operation b54, the takedown severed connections between some 1,400 Citadel botnets and the individual computers under their control. On the back of a seizure warrant ordered by U.S. District Court in Charlotte, N.C. in response to a lawsuit it filed, Microsoft cut off communication between the command-and-control servers and infected computers.

In addition, the software giant, assisted by the U.S. Marshals Service, "seized data and evidence from the botnets, including computer servers from two data hosting facilities in New Jersey and Pennsylvania," the company said in a news release. Microsoft also alerted computer emergency response teams (CERTs) in other countries so they can initiate their own efforts.

Citadel, described as a sophisticated cousin of the Zeus trojan, typically targets computers to steal financial information, such as bank account credentials. The crooks then use that information to login to victims' bank accounts and wire out money, to the tune of an estimated half-billion dollars.

Citadel is difficult to remove, as well. Its functionality includes blocking victims from visiting anti-virus websites where they would go to remove infections from their machines.

Richard Boscovich, assistant general counsel for the Microsoft Digital Crimes Unit, said in a statement that the dismantling won't put an end to Citadel because it is large and complex, but it will help. The company is working with internet service providers and CERTs globally to help affected computer owners purge Citadel. It's believed some five million people have been affected by the trojan across a number of countries.

"[W]e do expect that this action will significantly disrupt Citadel's operation, helping quickly release victims from the threat and making it riskier and more costly for the cyber criminals to continue doing business," Boscovich said.

This is the seventh botnet disruption operation Microsoft has led. Previous takedown efforts were directed at Rustock, Waledac, Zeus and Kelihos. The FBI, the Financial Services Information Sharing and Analysis Center (FS-ISAC) and NACHA – The Electronic Payments Association assisted Microsoft in its undertaking.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.