Citadel plitfi botnet report
(Publication) Google search: [1]
| Citadel plitfi botnet report | |
|---|---|
| Botnet | Citadel |
| Malware | |
| Botnet/malware group | |
| Exploit kits | |
| Services | |
| Feature | |
| Distribution vector | |
| Target | |
| Origin | |
| Campaign | |
| Operation/Working group | |
| Vulnerability | |
| CCProtocol | |
| Date | 2013 / 2013-04-15 |
| Editor/Conference | CERT Polska |
| Link | http://www.cert.pl/news/6900/langswitch lang/en (Archive copy) |
| Author | |
| Type | |
Abstract
“ At the end of February 2013 Polish Research and Academic Computer Network and CERT Polska took over 3 domains used by one of the Citadel botnets, known as “plitfi”. All the network traffic from these domains was directed to a sinkhole server controlled by CERT Polska. Today we publish a report outlining the details of the takedown and our findings. Some of the highlights from the report are presented below.
This botnet was used to display fake messages, that were supposedly coming from the victim’s bank, requiring her to make a wire transfer. 11 730 different machines were connecting to the sinkhole server. Over 77% of all connections originated from Poland. Almost all of the connections were coming either from Europe or from Japan. Citadel bots were running on Microsoft Windows operating system starting from Windows XP up to Windows 7. The botnet used multiple proxy servers to hide real C&C servers.
Bibtex
@misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2013BFR1319,
editor = {CERT Polska},
author = {},
title = {Citadel plitfi botnet report},
date = {15},
month = Apr,
year = {2013},
howpublished = {\url{http://www.cert.pl/news/6900/langswitch_lang/en}},
}