Oops. Microsoft takes down some researchers' servers along with Citadel botnet sites

The takedowns aren't a cure all and they aren't as surgical as they're made out to be

When Microsoft took down Citadel botnets last week it disrupted the thieves who use the malware for stealing online banking information, but it also caused collateral damage by knocking out sinkhole servers used by researchers to figure out how best to combat the criminals, a Swiss researcher says.

The Microsoft/FBI operation seized more than 300 domain names that had been sinkholed by abuse.ch, a Swiss security blog, according to the latest blog on the Web site.

BACKGROUND: Microsoft, US feds disrupt Citadel botnet network 

ANALYSIS: Microsoft bot takedowns help, but are no cure 

BEHIND THE SCENES: Inside Microsoft botnet takedowns 

BOTNETS AS BUSINESS: World of botnet cybercrime paying pretty well these days 

“I was not only surprised but also quite disappointed: Microsoft already showed similar behavior in their operation against ZeuS last year where they seized thousands of ZeuS botnet domains, including several hundred domain names that were already sinkholed by abuse.ch,” the blog’s author says.

The sinkhole servers were used to gather information about computers that had been turned into botnet zombies so their owners could be notified via the Shadowserver Foundation – a volunteer group - and the victims could take steps to clean their machines, according to the blog.  

“Since Citadel domain names previously sinkholed by abuse.ch have been grabbed by Microsoft, Shadowserver will not be able to report the IP addresses of infected clients calling home to these domains to the network owners anymore,” the blog says.

Estimates by abuse.ch say that a quarter of the 4,000 botnet domains taken over by the Microsoft/FBI sting fall into the category of sinkholes. “Today, I’ve talked to several other sinkhole operators asking them about their experience with Microsoft,” the blogger writes. “All of them confirmed to me that several dozens and for some operators even hundreds of Citadel domain names they had sinkholed have been seized by Microsoft as well.”

In addition the Citadel takedowns will likely prompt criminals to come up with more creative ways to do their illegal business that are harder to block.

Both these criticisms have come up before after Microsoft takedowns, and are part of the complex strategy game the goes on between cybercriminals and organizations that are trying to shut them down.

For example, when Microsoft took down some Zeus botnets last year, it resulted in bot-herders changing their command and control infrastructure. Rather than having compromised machines report back to a single command and control server, they set up a complex peer-to-peer C&C server architecture that is more difficult to dismantle, a security expert said at the time. "Adversaries will study how Microsoft did this and create ways to get around it in the future," John Pironti, president of IP Architects, LLC., said about the Zeus takedown. "They'll change their methods and practices and won't make the same mistake twice."

The abuse.com blogger comes to the conclusion that Microsoft’s effort was more for show than for actually solving the Citadel problem. “According to Microsoft, their goal was to disturb Citadel botnet operations. In my opinion their operation didn’t have any big noteworthy impact on Citadel, rather than disturbing research projects of several security researchers and non-profit organizations, including abuse.ch. In my opinion, operation b54 was nothing more than a PR campaign by Microsoft.”

Tim Greene covers Microsoft and unified communications for Network World and writes the Mostly Microsoft blog. Reach him at tgreene@nww.com and follow him on Twitter@Tim_Greene.

Copyright © 2013 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022