It was all over the news. The Citadel botnet responsible for stealing more than 500 million dollars out of bank accounts from both individuals and organizations worldwide has been largely shut down or so it seems if you read the breathless press. Citadel is a smarter and more sophisticated cousin of the Zeus Trojan.
Citadel is an example as Crime-as-a-Service and has been sold since 2012 in do-it-yourself crime kits that cost $2,400 or more. The malware itself is installed on workstations using social engineering. End-users were tricked with phishing and spear-phishing into clicking on links which infected their workstations.
The Press Release said that Redmond aligned with the FBI and authorities in 80 other countries to take down one of the world’s biggest cyber crime rings. Microsoft said its Digital Crimes Unit Wednesday took down at least 1,000 of an estimated 1,400 Citadel Botnets, which infected as many as five million PCs around the world and targeted on major banks.
Now, I agree that it’s about freaking time these gangsters were shut down, but there is quite some collateral damage with all this hoopla. Let's have a look at what Microsoft actually did. They identified about 1,400 botnets and disturbed them by pointing the infected machines to a server operated by Redmond instead of the Command & Control servers controlled by the bad guys.
This is not new, technically this is called 'sinkholing', and it's been around for a long time. Simply put, you redirect the traffic generated by the Trojan on an infected PC to the good guys, who then warn the owner so they can clean the machine.
It so happens that a lot of security researchers had created their own sinkhole domains and a good chunk of these Citadel botnets had already been sinkholed when Microsoft seized both the domains of the bad guys but also the domains of the security researchers. Nearly a 1,000 domain names out of the approx 4,000 domain names seized by Microsoft had already been sinkholed by security researchers!
The problem is that sinkholing is just a game of whack-a-mole. Takedowns like this trigger countermeasures by the bad guys who simply respond by using a peer-to-peer architecture instead of command & control servers making it much harder to take them down. Cybercrime cannot be stopped with takedowns, as a matter of fact takedowns make cybercrime worse.
You need legislation in Eastern Europe, and sufficient resources for law enforcement to take down the bad actors themselves.
(Hat Tip to Abuse.ch)