Collateral damage: Microsoft hits security researchers along with Citadel

Jump to navigation Jump to search

(Publication) Google search: [1]

Collateral damage: Microsoft hits security researchers along with Citadel
Botnet Citadel
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group Operation b54
Date 2013 / 2013-06-07
Link (Archive copy)
Type Blogpost


Today, I’ve suddenly noticed that several domain names disappeared from my sinkhole. I started to investigate and noticed these are now all pointing to a server in Microsoft’s network range ( It was quite obvious to me what had happened. Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by awhile ago (I want to outline here that my sinkhole is appropriately tagged and clearly shows that it is actually a sinkhole of I pulled down the list of Citadel domains that Microsoft seized and checked it against my sinkhole’s domain list. I was quite surprised about the result: Microsoft seized more than 300 domain names that where sinkholed by I was not only surprised but also quite disappointed: Microsoft already showed similar behaviour in their operation against ZeuS last year were they seized thousands of ZeuS botnet domains, including several hundred domain names that were already sinkholed by Due to this, I’ve set up a (non-public) Sinkhole Registry for LEA and security organisations to avoid similar situations in the future. I had hoped that Microsoft had learned their lesson, but apparently nothing has changed and my efforts didn’t change anything.


   editor = {},
   author = {},
   title = {Collateral damage: Microsoft hits security researchers along with Citadel},
   date = {07},
   month = Jun,
   year = {2013},
   howpublished = {\url{}},