Microsoft, FBI Takedown Citadel Botnet

hypnosec writes "Microsoft in collaboration with the FBI have successfully taken down the Citadel botnet which was known to control millions of PCs across the globe and was allegedly responsible for bank fraud in excess of $500 million. Citadel was known to have over 1,400 instances across the globe with most located in the US, Europe, India, China, Hong Kong and Singapore. It would install key-logging tools on target systems, which were then used to steal online banking credentials."

Re:$500 Million

[Fluffeh]

I don't think that "instance" means infected machine here. I would say likely it would be some sort of control node of the botnet. If you have many control nodes, it is much harder to take control of the botnet as a whole.

Re:$500 Million

[benyacrick]

Exactly! The number refers to Command & Control (C2) servers worldwide. In fact, Citadel has three types of C2 server: Binary for the actual malware, Config for the configuration file (eg a list of targets), and Drop for the stolen data.

Lots of good info at the ZeuS Tracker:
https://zeustracker.abuse.ch/faq.php [abuse.ch]

Re:

[Flere Imsaho]

TFA says "... which was known to control millions of PCs across the globe"

I know, read TFA - what's wrong with me?

Great start but

[Anonymous Coward]

Call me when they take down the bankers who have illegally laundered trillions of dollars in the LIBOR scandal.

Re:

[Anonymous Coward]

Please mod the parent down as much as possible. This has absolutely nothing to do with the topic at hand.

He's probably also one of those Tea Party terrorist faggots that think the government should serve the people instead of the other way around. Fuck him. Get his post down to -2 and delete it ASAP.

Re:

[murdocj]

Call me when they take down the slashthinkers who don't do anything useful themselves but feel free to denigrate those who do.

Re:

[Chickenlips]

You're sticking up for bankers who knowingly help criminals profit from their illegal activities, making them criminals, too?

Re:

[smittyoneeach]

In defense of those bankers, it costs an awful lot to keep those politicians bought.
Face it: the kind of abuse we've come to expect from our Progressive Overlords doesn't come cheap.

Re:

[fustakrakich]

Tuesday was two days ago.

Re:

[smittyoneeach]

Wait another five.

Re:

[fustakrakich]

Shouldn't you? Kind of jumping the gun, no?

Re:

[smittyoneeach]

Why would I leap the Luger? The barrel rolls as it will.

Windows update

[jader3rd]

The FBI should use the C&C servers to force the machines to run Windows Update and clean the machines of the virus. The users obviously don't want to take care of their own machine, and if something goes wrong they'll know that they had a virus.

Microsoft support should call them

[Anonymous Coward]

on the phone and lead them thru the process of cleaning up their infected machine.

That worked perfectly when they called me :-)

Re:

[Flere Imsaho]

Never mind what they should do, what are they doing, now they have a back door into all these PCs?

Re:

[slacka]

While these "successful takedowns" are great PR, the dirty secret is that by only taking down the C&C servers, the zomie machines just end up under different servers. MS has no issue applying updates without user permission to healthy PCs, so why not clean these infected ones? That would actually do some long term damage to these bot nets.

Re:

[byornski]

Good god; we better avoid anything that is only one molecule away from another!

Re:This is just a decoy...

[Adambomb]

hell that's nothing, Dihydrogen Monoxide is only one ATOM away from being a substance known [wikipedia.org] to cause a condition called Black Hairy Tongue [wikipedia.org] as well as abdominal pains, vomiting, and diarhea!

Re:This is just a decoy...

[DeathElk]

I'm not sure of the validity of your claims on margarine, so references would have been nice. However I used to drive past a margarine factory in Sydney most evenings and the smell coming out of that place has ensured I will never consciously eat margarine.

Re:

[Trogre]

Margarine is but ONE MOLECULE away from being PLASTIC...

That's true. In much the same way that pure water is but ONE MOLECULE away from being SULFURIC ACID.

It would install key-logging tools on target syste

[turbidostato]

On *Windows* target systems, you mean.

Re: It would install key-logging tools on target s

[crdotson]

Sorry, do you think key loggers are impossible on Linux or something?

Re:

[turbidostato]

"Sorry, do you think key loggers are impossible on Linux or something?"

No. I'm simply stating that this specific key-logger is focused on windows systems.

For platform-specific malware I it would be good always mentioning which platforms it affects.

Re:

[Anonymous Coward]

There's an android malware discussion one article up on the front page which would benefit from your pointed and unbiased opinion. I will wait patiently for your post.

Re:

[gandhi_2]

A car made by GM probably will explode if attacked by hostile parties.

So $500 mil taken

[future assassin]

out of the banks hands and put right back into the economy by the perps. Nothings to see, move along....

On whose authority?

[adolf]

It seems I'm the only one who questions such things, but:

On whose authority was this action pursued?

Since when does the FBI or MSFT or RIAA or MPAA or North Korea or Anonymous or [etc] have a right to diddle with others computers?

What gives them (for any incarnation of "them") the authority to modify privately-owned computers?

If it's for the indiscriminate greater good, then that seems more like military action...which I don't think the FBI is authorized to deal with, and certainly not any private US-based

Re:

[Richard_at_work]

Where has authority been assumed? The way botnets are taken down is the control nodes are eliminated, not that the infected machines are cleaned - in this case, the control servers may be gone but the end user machines are still infected, they just have nothing controlling them anymore.

The FBI and Microsoft get warrants and court authority which allows them to sieze and control digital assets that disrupts the control nodes, such as domain names, hosting space, IP routes, servers etc - they never touch the

Re:

[adolf]

Who owns the control nodes? Who determines whether or not they are end-user machines?

What authority do they have to disrupt them?

(Also: In the US, corporations may not petition for warrants. If you think otherwise, I'm done with this conversation with you.)

Re:

[Richard_at_work]

Who gives a fuck whether they are end user machines or not, they are control nodes and that is enough to target them.

And I never said Microsoft on their own petitioned for a warrant, thats why they involved the FBI and thats why I said "the FBI and Microsoft..." .

And it just so happens that the court gives them the authority to disrupt them. Obviously.

Re:

[adolf]

What court?

What warrant?

Who?

(No, it's not obvious.)

Re:

[adolf]

These rules you specify, even if they weren't related directly to RF, still would not apply: Purposefully fucking up servers != "accepting interference from other sources".

It is, and remains, illegal to intentionally interfere with communications. Or private property in general. In the US. Today. As we speak.

Otherwise, I still expect a law and/or a citeable court order specifically allowing such action, which may or may not involve foreign nationals and their belongings.

Re:

[minstrelmike]

If corporations are writing the laws, they might as well be enforcing them too ;-)

From your friendly neighbourhood grammar nazi

[BForrester]

Takedown is a noun.
Take down is the phrasal verb your title is looking for.