A coalition comprising Microsoft, the FBI, financial industry companies and technology firms has taken out more than 1,400 botnets that used the Citadel Trojan to steal victims’ online banking information and information about their identities, following an investigation launched in 2012.
“This was a lengthy process, and we relied heavily on our financial services and technology industry partners to ensure that we would be able to take aggressive action against this threat,” Richard Boscovich, assistant general counsel at the Microsoft Digital Crimes Unit, told TechNewsWorld.
Microsoft filed a civil suit last week against 82 alleged botnet operators and cut communications between the botnets and millions of infected PCs they controlled. Escorted by United States Marshals, Microsoft representatives on Wednesday seized computer servers from two data-hosting facilities in New Jersey and Pennsylvania. [*Editor’s Note – June 7, 2013]
Redmond and the FBI have notified appropriate organizations abroad, and the FBI has served court-authorized search warrants related to the botnets in the U.S.
“I believe we shared some information with our foreign law enforcement partners,” FBI spokesperson Jenny Shearer told TechNewsWorld. However, she could not confirm whether any arrests were made, or say how badly the botnet operators were hit.
How the Citadel Was Breached
Agari, which protects customers against email threats, “detected phish from these botnets as soon as they started targeting our customers,” Bob Pratt, the company’s vice president of products, told TechNewsWorld. The firm alerted customers and provided Microsoft with specific information about the technology used in the phishing attempts.
Redmond used proprietary tools, as well as tools from its industry partners, to monitor the malware’s activities and identify the botnets’ alleged operators, he added.
Microsoft alleges John Doe 1 named in its suit may have created and maintained the botnet, and may be in Eastern Europe, Boscovich said. The other operators are believed to be located around the world.
What’s a Citadel and What Does It Do?
Citadel is a banking Trojan that has been around since 2011, according to Symantec. It is offered as a full crimeware kit with payload builders, a C&C server infrastructure, and configuration scripts to target various banks, all for a measly US$3,000.
Citadel is an enhancement of the source code of the Zeus Trojan that was first used to attack the U.S. Department of Transportation in 2007. In 2010, the FBI arrested more than 90 suspected U.S. members of an international cybercrime ring that used Zeus to steal about $70 million; suspects were also picked up in the UK and the Ukraine.
Several versions of Citadel exist. In 2012, Seculert alleged that the cybercriminals behind Citadel had adopted the open source model.
What Else Citadel Did
In May 2012, the FBI warned that Citadel was being used to deliver the Reveton ransomware.
The Citadel Trojan has hit more than 5 million people worldwide and caused more than $500 million in losses among consumers and businesses around the world, Microsoft said.
Citadel blocked antivirus and antimalware programs from accessing their home sites, so they could not remove it — but these programs can now function as designed, Boscovich remarked.
Can Citadel Be Killed?
Due to Citadel’s size and complexity, Microsoft does not expect to fully eradicate botnets using the malware, Boscovich said. The cybercriminals could regain control over some of the infected computers, so victims have to disinfect their PCs as soon as possible.
Go to Microsoft’s botnet support page if you think you are a victim of Citadel or other malware.
Security “is a continuous fight,” Joe Bonnell, founder and CEO of Alchemy Security, told TechNewsWorld.
Citadel will likely “be back with a vengeance as a more resilient variant,” he said. “Malware infection is best prevented by newer technologies being developed by companies such as Bromium, who protect users from drive-by and embedded malware through micro-virtualization.”
The battle against cybercrime “has some aspects of whack-a-mole,” Craig Kensek, spokesperson for AhnLab, told TechNewsWorld. “This is true with many criminal activities — if you stop one gang, another may take its place.”
*ECT News Network Editor’s Note – June 7, 2013: Our original published version of this story stated that “together with United States Marshals, Microsoft representatives on Wednesday seized computer servers from two data-hosting facilities in New Jersey and Pennsylvania.” However, “the U.S. Marshals Service was only in charge of executing the seizure order by escorting Microsoft on the scene of the seizures,” Microsoft spokesperson Anne Good informed TechNewsWorld.