Microsoft Citadel takedown ultimately counterproductive

Last week’s disruption of nearly 1500 Citadel botnets believed to be responsible for over half a billion US dollars in financial fraud and affecting more than five million people in 90 countries has been welcomed by most security experts, but not all.

According to Swiss security expert Roman H??ssy who runs the Zeus, SpyEye and Palevo Trackers, the action effected by Microsoft in conjunction with the FBI and several industry partners has inflicted considerable damage to his and other researchers’ efforts.

“As a security researcher I spend a lot of time in researching botnets in my spare time, and abuse.ch is running such a sinkhole as well. The goal is simple: sinkhole malicious botnet domains (not only limited to any specific Trojan / malware family) and report them to Shadowserver,” he explains.

“Shadowserver, a non-profit organisation like abuse.ch, then informs the associated network owners about the infections reported by my sinkhole, in addition to infections reported by their own sinkholes and sinkholes run by other operators. In fact, every Computer Emergency Response Team, Internet Service Provider and network owner can get a feed from Shadowserver for their country / network for free.”

But with the recent takedown, a number of domains he sinkholed started pointing to a server in Microsoft’s network range. Additional research revealed that over 300 domain names that where sinkholed (and appropriately tagged) by him were also “seized” by Microsoft.

“I’ve talked to several other sinkhole operators asking them about their experience with Microsoft. All of them confirmed to me that several dozens and for some operators even hundreds of Citadel domain names they had sinkholed have been seized by Microsoft as well,” he wrote late last week.

“Calculating the numbers together, I can say that nearly 1000 domain names out of the ~4000 domain names seized by Microsoft had already been sinkholed by security researchers. In fact these ~1k domain names did no longer present a threat to internet users, but were actually used to help to make the internet a better place.”

And apparently this is not the first time Microsoft has done so. When last year the company disrupted a number of Zeus botnets, it also seized several hundred domain names that were already sinkholed by abuse.ch.

Another problem he sees is that Microsoft is actively sending out valid Citadel configuration files to the connecting bots. Even though they make the AV solutions on compromised computers again capable of downloading the most recent malware definitions (and thusly spot the malware) and contact only Microsoft’s servers, this move is illegal in most countries. “Sending out valid configuration files de facto changes settings of a computer without the consent or knowledge of the user (computer owner),” he points out.

Lastly, he says that this move will only spur cyber crooks to implement new countermeasures, which will likely involve updating their software to include P2P techniques to send commands to bots or encrypted communication between the bot herders and their bots.

“The problem with cybercrime is that it can’t be solved with doing takedowns. It’s only possible to solve this issue by implementing legislation related to cybercrime, enforce them by getting bad actors arrested and implementing security by design on different layers,” says H??ssy, adding that even though Microsoft’s operation might have partly reached its goal, the result is only temporary.