Microsoft, FBI Takedown Citadel Botnet

hypnosec writes "Microsoft in collaboration with the FBI have successfully taken down the Citadel botnet which was known to control millions of PCs across the globe and was allegedly responsible for bank fraud in excess of $500 million. Citadel was known to have over 1,400 instances across the globe with most located in the US, Europe, India, China, Hong Kong and Singapore. It would install key-logging tools on target systems, which were then used to steal online banking credentials."

$500 Million

Wait what? Thats over $350k per machine. Are the numbers screwed up here or is this just part of the NSA slush fund to build data centers?

Re:$500 Million

[Fluffeh]

I don't think that "instance" means infected machine here. I would say likely it would be some sort of control node of the botnet. If you have many control nodes, it is much harder to take control of the botnet as a whole.

Re:$500 Million

[benyacrick]

Exactly! The number refers to Command & Control (C2) servers worldwide. In fact, Citadel has three types of C2 server: Binary for the actual malware, Config for the configuration file (eg a list of targets), and Drop for the stolen data.

Lots of good info at the ZeuS Tracker:
https://zeustracker.abuse.ch/faq.php

Re:$500 Million

[Flere+Imsaho]

TFA says "... which was known to control millions of PCs across the globe"

I know, read TFA - what's wrong with me?

Great start but

Call me when they take down the bankers who have illegally laundered trillions of dollars in the LIBOR scandal.

Re:Great start but

Please mod the parent down as much as possible. This has absolutely nothing to do with the topic at hand.

He's probably also one of those Tea Party terrorist faggots that think the government should serve the people instead of the other way around. Fuck him. Get his post down to -2 and delete it ASAP.

Re:Great start but

Who modded this down? I though /. would grok _irony_

Re:Great start but

[murdocj]

Call me when they take down the slashthinkers who don't do anything useful themselves but feel free to denigrate those who do.

Re:Great start but

[Chickenlips]

You're sticking up for bankers who knowingly help criminals profit from their illegal activities, making them criminals, too?

Re:Great start but

[smittyoneeach]

In defense of those bankers, it costs an awful lot to keep those politicians bought.
Face it: the kind of abuse we've come to expect from our Progressive Overlords doesn't come cheap.

Re:Great start but

[fustakrakich]

Tuesday was two days ago.

Re:Great start but

Irrelevant irony is still irrelevant.

Re:Great start but

[smittyoneeach]

Wait another five.

Re:Great start but

[fustakrakich]

Shouldn't you? Kind of jumping the gun, no?

Re:Great start but

[smittyoneeach]

Why would I leap the Luger? The barrel rolls as it will.

Windows update

[jader3rd]

The FBI should use the C&C servers to force the machines to run Windows Update and clean the machines of the virus. The users obviously don't want to take care of their own machine, and if something goes wrong they'll know that they had a virus.

Re:Windows update

[Flere+Imsaho]

Never mind what they should do, what are they doing, now they have a back door into all these PCs?

Re:Windows update

[slacka]

While these "successful takedowns" are great PR, the dirty secret is that by only taking down the C&C servers, the zomie machines just end up under different servers. MS has no issue applying updates without user permission to healthy PCs, so why not clean these infected ones? That would actually do some long term damage to these bot nets.

Re: Take Down

Quite right. People who lack the self respect to spell correctly don't deserve to be published.

It would install key-logging tools on target syste

[turbidostato]

On *Windows* target systems, you mean.

Microsoft support should call them

on the phone and lead them thru the process of cleaning up their infected machine.

That worked perfectly when they called me :-)

Re:This is just a decoy...

[byornski]

Good god; we better avoid anything that is only one molecule away from another!

Re:This is just a decoy...

[DeathElk]

I'm not sure of the validity of your claims on margarine, so references would have been nice. However I used to drive past a margarine factory in Sydney most evenings and the smell coming out of that place has ensured I will never consciously eat margarine.

Re:This is just a decoy...

[Adambomb]

hell that's nothing, Dihydrogen Monoxide is only one ATOM away from being a substance known to cause a condition called Black Hairy Tongue as well as abdominal pains, vomiting, and diarhea!

Link to original MS press release

http://www.microsoft.com/en-us/news/Press/2013/Jun13/06-05DCUPR.aspx

Now.. with better writing (than the original linked article)

Grammar Police

I must object to the use of "Takedown" as a verb.The headline clearly should have been "Microsoft, FBI Take Down Citadel Botnet".

This issue is rampant in IT circles, in which "setup", "login", "checkout", and "shutdown" (all of which are acceptable nouns) are more commonly used as verbs than are the verb phrases from which they were constructed: "set up", "log in", "check out", and "shut down". The nouns are each composed of a verb and a preposition, and now in our laziness, we insist on using these compound words as if they were still verbs. Take a minute - a fraction of a second, actually - and insert the space character that makes them two separate words, and therefore makes them a valid verb phrase.

Some may reply that I am being uptight about this, but I usually don't make a big deal of the poor language skills (or simple carelessness) of others. Indeed, who has the time? However, I speak up in cases such as this because this sort of slop is indicative of sloppy thinking. And I should never find sloppy thinking amongst the brilliant professionals who patronize this establishment.

Re:Grammar Police

me@host:~$ sudo shut down -h now
sudo: shut: command not found
me@host:~$

(captcha: scrapped)

Re:Grammar Police

Thank you. This bugged me too.

Re:Grammar Police

Thankyou. This mebugged too.

FTFY.

They don't need it anymore...

when they have all the access through the corporations.

http://www.washingtonpost.com/investigations/us-intelligence-mining-data-from-nine-us-internet-companies-in-broad-secret-program/2013/06/06/3a0c0da8-cebf-11e2-8845-d970ccb04497_story.html

Re:It's fantastic that Microsoft takes responsibil

There's an android malware discussion one article up on the front page which would benefit from your pointed and unbiased opinion. I will wait patiently for your post.

So $500 mil taken

[future+assassin]

out of the banks hands and put right back into the economy by the perps. Nothings to see, move along....

Nice of MS to work to clean up some of their mess

Given that likelihood that a fair number of these bottled machines were made vulnerable by flaws in MSoft software, it is nice to see MSoft talking some action to help clean up their mess.

Re: It would install key-logging tools on target s

[crdotson]

Sorry, do you think key loggers are impossible on Linux or something?

Re: It's fantastic that Microsoft takes responsibi

Still waiting. Tick tock.

Re:It's fantastic that Microsoft takes responsibil

[gandhi_2]

A car made by GM probably will explode if attacked by hostile parties.

On whose authority?

[adolf]

It seems I'm the only one who questions such things, but:

On whose authority was this action pursued?

Since when does the FBI or MSFT or RIAA or MPAA or North Korea or Anonymous or [etc] have a right to diddle with others computers?

What gives them (for any incarnation of "them") the authority to modify privately-owned computers?

If it's for the indiscriminate greater good, then that seems more like military action...which I don't think the FBI is authorized to deal with, and certainly not any private US-based company.

(To be clear: I'm happy whenever I hear about a botnet being destroyed. But I'm unhappy whenever I see the government or anyone else assuming authority where none has been granted.)

Re:On whose authority?

[Richard_at_work]

Where has authority been assumed? The way botnets are taken down is the control nodes are eliminated, not that the infected machines are cleaned - in this case, the control servers may be gone but the end user machines are still infected, they just have nothing controlling them anymore.

The FBI and Microsoft get warrants and court authority which allows them to sieze and control digital assets that disrupts the control nodes, such as domain names, hosting space, IP routes, servers etc - they never touch the infected PCs.

Re:On whose authority?

[adolf]

Who owns the control nodes? Who determines whether or not they are end-user machines?

What authority do they have to disrupt them?

(Also: In the US, corporations may not petition for warrants. If you think otherwise, I'm done with this conversation with you.)

Re:On whose authority?

[Richard_at_work]

Who gives a fuck whether they are end user machines or not, they are control nodes and that is enough to target them.

And I never said Microsoft on their own petitioned for a warrant, thats why they involved the FBI and thats why I said "the FBI and Microsoft..." .

And it just so happens that the court gives them the authority to disrupt them. Obviously.

Re:On whose authority?

Since when does a US court have jurisdiction on non-US territory? Oh... wait... nevermind

Re:On whose authority?

[adolf]

What court?

What warrant?

Who?

(No, it's not obvious.)

Re:On whose authority?

what court?
http://en.wikipedia.org/wiki/Title_47_CFR_Part_15 for usa residents this one. canada, europe japan have similar laws i think
like it or not radio laws do apply to computers, and runnin a C&C server is violating 'devices may not cause interference and must accept interference from other sources.'
so they are using a device to create interference for devices by sending commands to bot net pcs, which creates harmful interference. with wifi and 3/4g etc there is radio gear affected by botnets also over satellite networks same rules apply. it is like 'duh it was illegal before just nobody cared until things started falling apart'

Re:On whose authority?

[adolf]

These rules you specify, even if they weren't related directly to RF, still would not apply: Purposefully fucking up servers != "accepting interference from other sources".

It is, and remains, illegal to intentionally interfere with communications. Or private property in general. In the US. Today. As we speak.

Otherwise, I still expect a law and/or a citeable court order specifically allowing such action, which may or may not involve foreign nationals and their belongings.

Re: It would install key-logging tools on target s

[turbidostato]

"Sorry, do you think key loggers are impossible on Linux or something?"

No. I'm simply stating that this specific key-logger is focused on windows systems.

For platform-specific malware I it would be good always mentioning which platforms it affects.

Re:Nice of MS to work to clean up some of their me

Given that likelihood that a fair number of these bottled machines were made vulnerable by flaws in MSoft software, it is nice to see MSoft talking some action to help clean up their mess.

More like Microsoft is having to spend resources to clean up the mess the developers in their ecosystem have created.

Java, Flash and Acrobat. Those are the three big vectors. A Windows machine with none of the three will be pretty damn safe.

Corporations enforcing law

So do we want corporations enforcing the law? Especially since corporations, through lobbying efforts, buy laws in the first place. In this case, botnets exist because security problems MS themselves put into their software. So MS creates a problem, and gets itself deputized to solve the problem? Imagine the MPAA and RIAA being deputized to enforce laws they bought and paid to have written.

Re:Corporations enforcing law

[minstrelmike]

If corporations are writing the laws, they might as well be enforcing them too ;-)

Re:It's fantastic that Microsoft takes responsibil

Still nothing. I guess that just confirms you are a shill, the worst kind like you accuse Microsoft of employing all over this site.

Re:This is just a decoy...

http://www.truthorfiction.com/rumors/b/butter-margarine.htm#.UbHzapyrOZE

The Truth:

The heart of this eRumor, the comparison between butter and Margarine, has been circulating since 2005. Later versions added the tidbit about Margarine being manufactured to fatten turkeys.

We'll go through the email one fact at time but it needs to be kept in mind that not every Margarine product is the same. There are other spreads that are loosely called Margarine but may, for example, be part vegetable oil or a fat-free Margarine product.

1. Margarine was originally manufactured to fatten turkeys. When it killed The turkeys, the people who had put all the money into the research wanted a Payback so they put their heads together to figure out what to do with this Product to get their money back. It was a white substance with no food Appeal so they added the yellow coloring and sold it to people to use in Place of butter. How do you like it? They have come out with some clever New flavorings-Fiction!
According to the National Association of Margarine Manufacturers, Margarine was the idea of a Frenchman named Hippolyte Mege-Mouriez in response to a request from Emperor Louis Napoleon for ideas for a substitute for butter. In 1869 he used margaric acid and the name of his formulation became known as Margarine. It became a hit in the United States in the late 1800's.

2. Both have the same amount of calories-Truth!
A tablespoon of butter is 100 calories. A tablespoon of Margarine is 100 calories.

3. Eating margarine can increase heart disease in women by 53% over eating the same amount of butter, according to a recent Harvard Medical Study-Truth! But Updated!
We didn't find the "53%" study, but Harvard School of Public Health has published a report on this. It says that more than 30 years ago research indicated that saturated fat (such as in butter) was bad for the heart and people were told to switch to margarine. A Harvard study of women between 1980 and 1994 found a significant reduction of heart disease risk by reducing smoking, hormone treatment, and dietary improvements including reducing or eliminating saturated fat (such as in butter.) Further research has shown, however, that some margarines contained trans fat, which was even worse for the heart than saturated fat. The report cautions us not to make decisions as a result of just one study but to consider the body of recent research about an issue like butter versus margarine.

4. Butter is slightly higher in saturated fats at 8 grams compared to 5 Grams-Truth!
A tablespoon of butter is 7g of saturated fat. A tablespoon of margarine is 2g of saturated fat.

5. Eating butter increases the absorption of many other nutrients in other Foods-Unproven!
We could not find anything definitive about this.

6. Butter has many nutritional benefits where margarine has a few only because they are added!
It depends on what you are measuring. The advantage of butter is that it is a more natural product than margarine and does have more vitamin content. But butter is high in saturated fat, which is associated with increased heart attack risk. Saturated fats are the ones that are solid at room temperature and increase the "bad" cholesterol (LDL) as well as the "good" cholesterol (HDL). The disadvantage of true margarine is the trans fat level. The more solid a margarine is at room temperature, the more trans fat it contains, as much as 3 grams per tablespoon. Margarine makers have responded to that by releasing tub or liquid products that have either reduced or eliminated trans fats. Watch for the labels. Heart doctors recommend butter over normal margarine but recommend trans fat free margarines over butter. It all gets very confusing. There are even margarine products now that say they actually lower cholesterol.

7. Butter tastes much better than margarine and it can enhance the flavors of other foods-A Matter of Personal Taste!

8. Butter has been around for centuries where marg

"The Windows 8 maker"

I'm not sure what angle that is supposed to go. It feels like an initial kick in the junk, followed by a good job by helping foil the bot-net.

From your friendly neighbourhood grammar nazi

[BForrester]

Takedown is a noun.
Take down is the phrasal verb your title is looking for.

Re:This is just a decoy...

[Trogre]

Margarine is but ONE MOLECULE away from being PLASTIC...

That's true. In much the same way that pure water is but ONE MOLECULE away from being SULFURIC ACID.