$500 Million Citadel Botnet Taken Down By Microsoft & the FBI

In a coordinated operation, codenamed Operation b54, Microsoft, in cooperation with leaders in the financial services industry – including the Financial Services – Information Sharing and Analysis Center (FS-ISAC), NACHA – The Electronic Payments Association, the American Bankers Association (ABA) – Agari,  and other technology industry partners, as well as the FBI, announced it has successfully disrupted more than a thousand botnets that are responsible for stealing people’s online banking information and personal identities. The FBI took coordinated separate steps related to the operation.

This coordinated disruption resulted from an extensive investigation that Microsoft that began in early 2012. After looking into this threat, it was discovered that once a computer was infected with Citadel malware, that malware began monitoring and recording a victim’s keystrokes. This allowed hackers to gain direct access to a victim’s bank account or any other online account in order to withdraw money and/or steal personal identities.  Microsoft also found that in addition to being responsible for more than $500 Million in losses among people and businesses worldwide, the Citadel malware has affected upwards of five million people, with some of the highest number of infections appearing in the U.S., Europe, Hong Kong, Singapore, India, and Australia.  Citadel is a global threat that is believed may have already infected victims in more than ninety countries worldwide since its inception.

Citadel infected as many as 5 million PCs around the world and, according to Microsoft, was used to steal from dozens of financial institutions, including American Express, Bank of America, Citigroup, Credit Suisse, eBay’s PayPal, HSBC, JPMorgan Chase, Royal Bank of Canada and Wells Fargo.  Citadel is one of the biggest botnets in operation today.  Microsoft said its creator bundled the software with pirated versions of the Windows operating system, and used it to control PCs in the United States, Western Europe, Hong Kong, India, and Australia.

The Citadel software disables anti-virus programs on infected PCs so they cannot detect malicious software. It surfaced in early 2012 and is sold over the Internet in kits that cost $2,400 or more.  Aquabox, the believed creator of the Botnet, also gets a percentage of money stolen by his customers using Citadel.  Some Citadel Botnet operators have used infected machines to disrupt bank websites in so-called distributed denial of service attacks, hoping to distract those firms from thefts that are occurring or have occurred, according to the complaint.  Aquabox provided herders a secret forum where they could suggest new features for the Citadel kits, as well as exchange ideas on best practices in botnet herding, Microsoft said.

The FBI said it is closely with Europol and other overseas authorities to try to capture the unknown criminals. The FBI has obtained search warrants as part of what it characterized as a “fairly advanced” criminal probe.  The Citadel software is programmed so it will not attack PCs or financial institutions in Ukraine or Russia, likely because the creators operate in those countries and want to avoid provoking law enforcement officials there, Microsoft said.

“The harm done by Citadel shows the threat that botnets, malicious software, and piracy pose to individuals and businesses around the world,” said Brad Smith, Microsoft general counsel and executive vice president, Legal and Corporate Affairs. “Today’s coordinated action between the private sector and law enforcement demonstrates the power of combined legal and technical expertise and we’re going to continue to work together to help put these cybercriminals out of business.”

Last week, Microsoft filed a civil suit against the cybercriminals operating the Citadel botnets, receiving authorization from the U.S. District Court for the Western District of North Carolina for Microsoft to simultaneously cut off communication between 1,462 Citadel botnets and the millions of infected computers under their control. On June 5, Microsoft, escorted by the U.S. Marshals, seized data and evidence from the botnets, including computer servers from two data hosting facilities in New Jersey and Pennsylvania. Microsoft also provided information about the botnets’ operations to international Computer Emergency Response Teams (CERTs), so these partners could take action at their discretion on additional command and control infrastructure for the botnets located outside of the U.S.

The complaint, unsealed on Wednesday, identifies the ringleader as John Doe No. 1, who goes by the alias Aquabox and is accused of creating and maintaining the botnet.  Investigators are trying to determine Aquabox’s identity and suspect he lives in eastern Europe and works with at least 81 “herders,” who run the bots from anywhere in the world. Microsoft said it and the FBI are working with law enforcement and other organizations in countries including: Australia, Brazil, Ecuador, Germany, Holland, Hong Kong, Iceland, India, Indonesia, Spain and the United Kingdom.

The FBI also provided information to foreign law enforcement counterparts so that they could also take voluntary action on botnet infrastructure located outside of the U.S.  The FBI also obtained and served court-authorized search warrants domestically related to the botnets.  “Today’s actions represent the future of addressing the significant risks posed to our citizens, businesses, and intellectual property by cyber threats and malicious software, which are often enabled by counterfeit and unlicensed software,” said FBI Executive Assistant Director Richard McFeely. “Creating successful public-private relationships—in which tools, knowledge, and intelligence are shared—is the ultimate key to success in addressing cyber threats and is among the highest priorities of the FBI. We must ensure that, as cyber policy is developed, the ability of the private sector to coordinate in real time with the FBI is encouraged so that a multi-prong attack on our cyber adversaries can be as effective as possible.”

“Crimes used to happen through stickups, but today criminals use mouse clicks,” said Greg Garcia, a consultant and former Department of Homeland Security cyber official serving as a spokesperson for the three major financial industry associations. “This action aims to stop the ongoing harm of these Citadel botnets against people and businesses worldwide, and you can be assured that we will continue to partner with the public and private sectors to help financial institutions protect our customers from threats like this.”

Due to the size and complexity of the threat, Microsoft and its partners do not expect to fully eliminate all of the botnets using Citadel. However, it is expected that this action will significantly disrupt the botnets’ operation, making it riskier and more expensive for the cybercriminals to continue doing business and allowing victims to free their computers from the malware.  Microsoft said its Digital Crimes Unit on Wednesday successfully took down at least 1,000 of an estimated 1,400 malicious computer networks known as the Citadel Botnets. Of the more than 1,000 botnets that were shut down on Wednesday, Microsoft said 455 were hosted in 40 data centers in the United States. The rest were located in dozens of countries overseas.

Other organizations that played a part in the legal or technical aspects of this operation include Agari, A10 Networks, and Nominum. In particular, in addition to supporting Microsoft’s lawsuit with a legal declaration, Agari, a partner of FS-ISAC, provided forensic data gathering based on the terabytes of email data that Agari collects from sources across the Internet to protect against email threats such as phishing. Meanwhile, A10 Networks and Nominum provided Microsoft advanced technology to support the disruptive action.

Immediately following the disruption, Microsoft will use the threat intelligence gathered during the seizure to work with Internet Service Providers and Computer Emergency Response Teams worldwide to quickly and efficiently notify people if their computer is infected.  Microsoft will be making this information available through its Cyber Threat Intelligence Program (C-TIP), including the recently-announced cloud-based version of the program.  For computer owners worried that their computers might be infected, Microsoft offers free information and malware removal tools at http://support.microsoft.com/botnets. Additionally, the FBI is providing information on its website about botnets to educate the public on how to protect themselves. Many financial services industry organizations provide resources, tips, and tools to individuals and companies on how to help protect themselves.

About the author  ⁄ Suril Amin

Suril is a scientist, journalist and obsessive Microsoft observer. He holds an advanced degree in Biotechnology with minors in Biochemistry, Microbiology, and Molecular Biology. Send him tips on twitter: http://www.twitter.com/surilamin

  • Tirinti

    FBI should take down Google botnet.

    • Bugbog

      Good One!! :D