Microsoft, FBI Takedown Citadel Botnet

hypnosec writes "Microsoft in collaboration with the FBI have successfully taken down the Citadel botnet which was known to control millions of PCs across the globe and was allegedly responsible for bank fraud in excess of $500 million. Citadel was known to have over 1,400 instances across the globe with most located in the US, Europe, India, China, Hong Kong and Singapore. It would install key-logging tools on target systems, which were then used to steal online banking credentials."

Great start but

Call me when they take down the bankers who have illegally laundered trillions of dollars in the LIBOR scandal.

Re:Great start but

Please mod the parent down as much as possible. This has absolutely nothing to do with the topic at hand.

He's probably also one of those Tea Party terrorist faggots that think the government should serve the people instead of the other way around. Fuck him. Get his post down to -2 and delete it ASAP.

Re:Great start but

[Chickenlips]

You're sticking up for bankers who knowingly help criminals profit from their illegal activities, making them criminals, too?

Re:Great start but

[smittyoneeach]

In defense of those bankers, it costs an awful lot to keep those politicians bought.
Face it: the kind of abuse we've come to expect from our Progressive Overlords doesn't come cheap.

Re:Great start but

[fustakrakich]

Tuesday was two days ago.

Re:Great start but

[smittyoneeach]

Wait another five.

Re:Great start but

[fustakrakich]

Shouldn't you? Kind of jumping the gun, no?

Re:Great start but

[smittyoneeach]

Why would I leap the Luger? The barrel rolls as it will.

Windows update

[jader3rd]

The FBI should use the C&C servers to force the machines to run Windows Update and clean the machines of the virus. The users obviously don't want to take care of their own machine, and if something goes wrong they'll know that they had a virus.

Re:Windows update

[Flere+Imsaho]

Never mind what they should do, what are they doing, now they have a back door into all these PCs?

Re:Windows update

[slacka]

While these "successful takedowns" are great PR, the dirty secret is that by only taking down the C&C servers, the zomie machines just end up under different servers. MS has no issue applying updates without user permission to healthy PCs, so why not clean these infected ones? That would actually do some long term damage to these bot nets.

Re:$500 Million

[Fluffeh]

I don't think that "instance" means infected machine here. I would say likely it would be some sort of control node of the botnet. If you have many control nodes, it is much harder to take control of the botnet as a whole.

It would install key-logging tools on target syste

[turbidostato]

On *Windows* target systems, you mean.

Microsoft support should call them

on the phone and lead them thru the process of cleaning up their infected machine.

That worked perfectly when they called me :-)

Re:$500 Million

[benyacrick]

Exactly! The number refers to Command & Control (C2) servers worldwide. In fact, Citadel has three types of C2 server: Binary for the actual malware, Config for the configuration file (eg a list of targets), and Drop for the stolen data.

Lots of good info at the ZeuS Tracker:
https://zeustracker.abuse.ch/faq.php

Re:This is just a decoy...

[byornski]

Good god; we better avoid anything that is only one molecule away from another!

Re:This is just a decoy...

[DeathElk]

I'm not sure of the validity of your claims on margarine, so references would have been nice. However I used to drive past a margarine factory in Sydney most evenings and the smell coming out of that place has ensured I will never consciously eat margarine.

Re:This is just a decoy...

[Adambomb]

hell that's nothing, Dihydrogen Monoxide is only one ATOM away from being a substance known to cause a condition called Black Hairy Tongue as well as abdominal pains, vomiting, and diarhea!

Re:$500 Million

[Flere+Imsaho]

TFA says "... which was known to control millions of PCs across the globe"

I know, read TFA - what's wrong with me?

Re:It's fantastic that Microsoft takes responsibil

There's an android malware discussion one article up on the front page which would benefit from your pointed and unbiased opinion. I will wait patiently for your post.

So $500 mil taken

[future+assassin]

out of the banks hands and put right back into the economy by the perps. Nothings to see, move along....

Re: It would install key-logging tools on target s

[crdotson]

Sorry, do you think key loggers are impossible on Linux or something?

Re:It's fantastic that Microsoft takes responsibil

[gandhi_2]

A car made by GM probably will explode if attacked by hostile parties.

On whose authority?

[adolf]

It seems I'm the only one who questions such things, but:

On whose authority was this action pursued?

Since when does the FBI or MSFT or RIAA or MPAA or North Korea or Anonymous or [etc] have a right to diddle with others computers?

What gives them (for any incarnation of "them") the authority to modify privately-owned computers?

If it's for the indiscriminate greater good, then that seems more like military action...which I don't think the FBI is authorized to deal with, and certainly not any private US-based company.

(To be clear: I'm happy whenever I hear about a botnet being destroyed. But I'm unhappy whenever I see the government or anyone else assuming authority where none has been granted.)

Re:On whose authority?

[Richard_at_work]

Where has authority been assumed? The way botnets are taken down is the control nodes are eliminated, not that the infected machines are cleaned - in this case, the control servers may be gone but the end user machines are still infected, they just have nothing controlling them anymore.

The FBI and Microsoft get warrants and court authority which allows them to sieze and control digital assets that disrupts the control nodes, such as domain names, hosting space, IP routes, servers etc - they never touch the infected PCs.

Re:On whose authority?

[adolf]

Who owns the control nodes? Who determines whether or not they are end-user machines?

What authority do they have to disrupt them?

(Also: In the US, corporations may not petition for warrants. If you think otherwise, I'm done with this conversation with you.)

Re:On whose authority?

[Richard_at_work]

Who gives a fuck whether they are end user machines or not, they are control nodes and that is enough to target them.

And I never said Microsoft on their own petitioned for a warrant, thats why they involved the FBI and thats why I said "the FBI and Microsoft..." .

And it just so happens that the court gives them the authority to disrupt them. Obviously.

Re:On whose authority?

[adolf]

What court?

What warrant?

Who?

(No, it's not obvious.)

Re:On whose authority?

[adolf]

These rules you specify, even if they weren't related directly to RF, still would not apply: Purposefully fucking up servers != "accepting interference from other sources".

It is, and remains, illegal to intentionally interfere with communications. Or private property in general. In the US. Today. As we speak.

Otherwise, I still expect a law and/or a citeable court order specifically allowing such action, which may or may not involve foreign nationals and their belongings.

Re: It would install key-logging tools on target s

[turbidostato]

"Sorry, do you think key loggers are impossible on Linux or something?"

No. I'm simply stating that this specific key-logger is focused on windows systems.

For platform-specific malware I it would be good always mentioning which platforms it affects.

Re:Corporations enforcing law

[minstrelmike]

If corporations are writing the laws, they might as well be enforcing them too ;-)

From your friendly neighbourhood grammar nazi

[BForrester]

Takedown is a noun.
Take down is the phrasal verb your title is looking for.

Re:This is just a decoy...

[Trogre]

Margarine is but ONE MOLECULE away from being PLASTIC...

That's true. In much the same way that pure water is but ONE MOLECULE away from being SULFURIC ACID.