Microsoft accused of friendly fire in Citadel botnet takedown

Researchers say Microsoft disrupted their security efforts by siphoning off incoming malware data

Microsoft's shutdown of more than 1,400 Citadel botnet servers last week may have been more disruptive than the company had intended: Security researchers including Roman Hüssy, who runs the Zeus, SpyEye, and Palevo Tracker, say that Operation b54 succeeded in disrupting their ongoing security research efforts by siphoning off the malicious data they'd been tracking.

Operation b54, an effort involving Microsoft, the FBI, and other government and private agencies, entailed cutting off communication between 1,462 botnets and infected computers from all over the world that were under their control. Cyber criminals were using Citadel to steal victims' online banking information and personal identities.

The operation entailed "seizing more than 4,000 domain names and pointing them to a server operated by Microsoft," a process called sinkholing, according to Hüssy. The problem: Some of the domain names now pointing to a Microsoft server had previously been pointed at Hüssy's sinkhole at, which he'd been using to perform security research for clients. Hüssy's not alone in his thinking, either.

"As a security researcher, I spend a lot of time in researching botnets in my spare time, and is running such a sinkhole as well (in fact for years). The goal is simple: Sinkhole malicious botnet domains and report them to Shadowserver," he wrote. "A nonprofit organization like then informs the associated network owners about the infections reported by my sinkhole, in addition to infections reported by their own sinkholes and sinkholes run by other operators."

Shadowserver notifies more than 1,500 organizations and 60 national CERTs about infected computers within their responsibility, according to Hüssy. "Since Citadel domain names previously sinkholed by have been grabbed by Microsoft, Shadowserver will not be able to report the IP addresses of infected clients calling home to these domains to the network owners anymore," he wrote.

By Hüssy's calculations, partially based on discussions with similarly affected security researchers, Microsoft has seized nearly 1,000 domains that had already been sinkholed by other researchers. "In fact these ~1k domain names did no longer present a threat to Internet users, but were actually used to help to make the Internet a better place," he wrote.

Compounding the disruption, Microsoft's sinkhole is actively sending out valid configuration files to the connecting bots, according to Hüssy. These configuration files remove blocks against antivirus vendors' websites, but in the process, the main C&C configuration -- including the backup C&C domains -- get overwritten by Microsoft's servers.

"Due to this, Microsoft ensures that once a bot connects to their sinkhole, it stays there and won't try to reach out to a different C&C. In theory, this is a very good idea, and I have to say that many sinkhole operators had the same thought years ago," Hüssy wrote. "But unlike Microsoft, most of the sinkhole operators came to a different conclusion: Sending out valid configuration files de facto changes settings of a computer without the consent or knowledge of the user (computer owner). In most countries, this is violating local law."

Beyond Operation b54's adverse impact on his research and that of others, the operation isn't going to stop the criminals behind Citadel from using botnets, Hussy predicted. In fact, they may end up adapting their tactics to counter similar measures down the road. "It may even have the bad effect of criminals updating their software to prevent that such takedowns are possible in the future again (e.g.. by implementing P2P techniques like ZeuS-Licat or RSA signed C&C communication for Torpig)," he wrote.

InfoWorld reached out to Microsoft to address Hüssy's allegations. The company provided an extensive statement, attributed to Richard Boscovich, assistant general counsel for Microsoft's Digital Crimes Unit, but did not address Hüssy's concerns directly. Following is a portion of that statement:

"The security research community is doing important work on monitoring the Citadel botnet and other malware variants in the wild. Many researchers agree that the goal of research should not just be in the observation itself, but in application to help protect the public from the threat cybercrime poses.  The researchers who provided information for use in this operation did so because of their commitment to the application of research to help people on the Internet, and their willingness to share this information is a testament to their dedication. Microsoft and its partners continue to capture valuable information and evidence as a result of this operation, and we remain committed to working with the community to provide intelligence uncovered in our investigations so that the whole industry can better respond collectively to these threats."

This story, "Microsoft accused of friendly fire in Citadel botnet takedown," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.


Copyright © 2013 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!