Collateral damage: Microsoft hits security researchers along with Citadel

From Botnets.fr
Jump to navigation Jump to search

(Publication) Link to the old Wiki page : [1] / Google search: [2]

Collateral damage: Microsoft hits security researchers along with Citadel
Botnet Citadel
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group Operation b54
Vulnerability
CCProtocol
Date 2013 / 2013-06-07
Editor/Conference Abuse.ch
Link https://www.abuse.ch/?p=5362 (Archive copy)
Author
Type Blogpost

Abstract

Today, I’ve suddenly noticed that several domain names disappeared from my sinkhole. I started to investigate and noticed these are now all pointing to a server in Microsoft’s network range (199.2.137.0/24). It was quite obvious to me what had happened. Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by abuse.ch awhile ago (I want to outline here that my sinkhole is appropriately tagged and clearly shows that it is actually a sinkhole of abuse.ch). I pulled down the list of Citadel domains that Microsoft seized and checked it against my sinkhole’s domain list. I was quite surprised about the result: Microsoft seized more than 300 domain names that where sinkholed by abuse.ch. I was not only surprised but also quite disappointed: Microsoft already showed similar behaviour in their operation against ZeuS last year were they seized thousands of ZeuS botnet domains, including several hundred domain names that were already sinkholed by abuse.ch. Due to this, I’ve set up a (non-public) Sinkhole Registry for LEA and security organisations to avoid similar situations in the future. I had hoped that Microsoft had learned their lesson, but apparently nothing has changed and my efforts didn’t change anything.

Bibtex

 @misc{empty2013BFR1337,
   editor = {Abuse.ch},
   author = {},
   title = {Collateral damage: Microsoft hits security researchers along with Citadel},
   date = {07},
   month = Jun,
   year = {2013},
   howpublished = {\url{https://www.abuse.ch/?p=5362}},
 }