The joint operation cuts off more than 1,400 botnets used in the theft of $500 million worldwide, but it also shows how nimble cyber criminals are in distributing their malware.
The FBI and Microsoft have managed to disrupt more than 1,400 botnets using the Citadel credential-stealing Trojan, in an operation that underscores both the effectiveness of such joint operations and persistence and flexibility of cyber criminals.
The joint effort, code-named Operation b54 and acting with a court order, cut off communications between the botnets and seized data and servers from two compromised data centers in Absecon, N.J., and Scranton, Pa., according to Reuters, which first reported the operation. The botnets affected as many as 5 million PCs worldwide and were used to steal more than $500 million from banks in the United States and several other countries.
But because of the wide distribution and complexity of Citadel, “we do not expect to fully take out all of the botnets in the world using the Citadel malware,” Richard Domingues Boscovich, assistant general counsel of Microsoft's Digital Crimes Unit, wrote in a blog post. “However, we do expect that this action will significantly disrupt Citadel’s operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business,” Boscovich wrote.
The Citadel Trojan, itself a descendant of the ubiquitous Zeus Trojan, is widespread in the cyber underworld, used primarily to steal banking and financial information. It builds a botnet of infected computers, can disable antivirus software on an infected PC and can deliver malware such as ransomware and scareware.
In 2012, for example, the FBI warned that it was being used to deliver the Reveton drive-by ransomware in a heavy-handed extortion scam. The virus locked up users’ computers, displayed a message purportedly from the FBI or Justice Department saying they’ve been accused of a federal crime, and telling them where to pay a fine.
Typically, however, Citadel operates behind the scenes, so that users are unaware of its presence. Likewise, Boscovich told Reuters, the data centers running the botnets often are in the dark about its presence.
This is the seventh joint operation between Microsoft and federal law enforcement, Boscovich wrote in his blog, and he said Operation b54 again demonstrates how cyber criminals adapt their attacks. Among Citadel’s tactics this time around were blocking access to anti-malware sites to make it harder for users to remove the Trojan and “using fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their business,” he wrote, noting that newer versions of Windows defend against that tactic.
Past operations have included disruptions of the March 2012 takedown of large Zeus botnets, after which Microsoft named two Ukrainian men as the leaders, along with 37 other “John Doe” defendants. In the most recent operation, Microsoft told Reuters that Citadel was programmed not to target PCs in Ukraine or Russia.