Citadel plitfi botnet report

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Citadel plitfi botnet report
Botnet Citadel
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2013 / 2013-04-15
Editor/Conference CERT Polska
Link http://www.cert.pl/news/6900/langswitch lang/en (Archive copy)
Author
Type

Abstract

At the end of February 2013 Polish Research and Academic Computer Network and CERT Polska took over 3 domains used by one of the Citadel botnets, known as “plitfi”. All the network traffic from these domains was directed to a sinkhole server controlled by CERT Polska. Today we publish a report outlining the details of the takedown and our findings. Some of the highlights from the report are presented below.

This botnet was used to display fake messages, that were supposedly coming from the victim’s bank, requiring her to make a wire transfer. 11 730 different machines were connecting to the sinkhole server. Over 77% of all connections originated from Poland. Almost all of the connections were coming either from Europe or from Japan. Citadel bots were running on Microsoft Windows operating system starting from Windows XP up to Windows 7. The botnet used multiple proxy servers to hide real C&C servers.

Bibtex

 @misc{empty2013BFR1319,
   editor = {CERT Polska},
   author = {},
   title = {Citadel plitfi botnet report},
   date = {15},
   month = Apr,
   year = {2013},
   howpublished = {\url{http://www.cert.pl/news/6900/langswitch_lang/en}},
 }