Microsoft, FBI Claim Success Against Citadel Botnets
Microsoft and the FBI have carried out a major operation against cybercriminals using Citadel malware, saying they disrupted more than 1,000 botnets responsible for about $500 million in financial fraud globally.
In separate releases issued on Wednesday (June 5), the software giant and the FBI said they had worked with leaders of the financial services industry in acting against “a massive global cybercrime operation.”
FBI Executive Assistant Director Richard McFeely said the agency had acted on court-authorized search warrants.
“Today’s actions represent the future of addressing the significant risks posed to our citizens, businesses, and intellectual property by cyber threats and malicious software, which are often enabled by counterfeit and unlicensed software,” he said.
“Creating successful public-private relationships — in which tools, knowledge, and intelligence are shared — is the ultimate key to success in addressing cyber threats and is among the highest priorities of the FBI.”
McFeely said the FBI had shared information with law enforcement agencies in other countries so they could act against botnet infrastructure in their jurisdictions.
Microsoft said the anti-botnet operation resulted from an “extensive” investigation which it began early last year with financial services and technology industry partners.
“The harm done by Citadel shows the threat that botnets, malicious software, and piracy pose to individuals and businesses around the world,” said Brad Smith, Microsoft general counsel and executive vice president, Legal and Corporate Affairs.
Microsoft said in its release that the Citadel malware was monitoring and recording victims’ keystrokes. “This tactic, known as keylogging, provides cybercriminals information to gain direct access to a victim’s bank account or any other online account in order to withdraw money or steal personal identities,” the release said.
“This means that when victims are using their computers to access their bank or online accounts, cybercriminals can use the stolen information to quietly pilfer those same accounts as well. Microsoft also found that in addition to being responsible for more than half-a-billion dollars in losses among people and businesses worldwide, the Citadel malware has affected upwards of five million people.”
It said computers in more than 90 countries had been infected, with some of the highest rates of infection in the US, Europe, Hong Kong, Singapore, India, and Australia.
The company said that last week it filed a civil suit against those operating the Citadel botnets, receiving authorization from the US District Court for the Western District of North Carolina to simultaneously cut off communication between 1,462 Citadel botnets “and the millions of infected computers under their control.”
It said that on Wednesday (June 5), Microsoft staff escorted by the US Marshals seized data and evidence from the botnets, including computer servers from two data hosting facilities in New Jersey and Pennsylvania.
“Due to the size and complexity of the threat, Microsoft and its partners do not expect to fully eliminate all of the botnets using Citadel,” the Microsoft said. “However, it is expected that this action will significantly disrupt the botnets’ operation, making it riskier and more expensive for the cybercriminals to continue doing business and allowing victims to free their computers from the malware.”
The company said it would use information gathered during the operation to alert people around the world whose computers had been infected. “Microsoft will be making this information available through its Cyber Threat Intelligence Program (C-TIP).”
A recent report by McAfee Labs said new Citadel variants had features “that extend beyond simple bank fraud.”
“The most recently discovered Citadel variants have built-in DNS redirect functionality that prevents infected systems from contacting the websites of major IT security vendors and global law enforcement agencies,” the report said.
“McAfee Labs believes that we will continue to see successor variants deployed throughout 2013. We also expect that its targets will expand as more cybercriminals realize the potential capabilities of Citadel go well beyond financial fraud. There is a significant amount of recent activity to suggest that perpetrators will continue to use Citadel to attack businesses and government organizations globally.”