Collateral damage: Microsoft hits security researchers along with Citadel

(Publication) Google search: [1]

Abstract

“ Today, I’ve suddenly noticed that several domain names disappeared from my sinkhole. I started to investigate and noticed these are now all pointing to a server in Microsoft’s network range (199.2.137.0/24). It was quite obvious to me what had happened. Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by abuse.ch awhile ago (I want to outline here that my sinkhole is appropriately tagged and clearly shows that it is actually a sinkhole of abuse.ch). I pulled down the list of Citadel domains that Microsoft seized and checked it against my sinkhole’s domain list. I was quite surprised about the result: Microsoft seized more than 300 domain names that where sinkholed by abuse.ch. I was not only surprised but also quite disappointed: Microsoft already showed similar behaviour in their operation against ZeuS last year were they seized thousands of ZeuS botnet domains, including several hundred domain names that were already sinkholed by abuse.ch. Due to this, I’ve set up a (non-public) Sinkhole Registry for LEA and security organisations to avoid similar situations in the future. I had hoped that Microsoft had learned their lesson, but apparently nothing has changed and my efforts didn’t change anything.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1337,
   editor = {Abuse.ch},
   author = {},
   title = {Collateral damage: Microsoft hits security researchers along with Citadel},
   date = {07},
   month = Jun,
   year = {2013},
   howpublished = {\url{https://www.abuse.ch/?p=5362}},
 }