1,462 botnets shut down by Microsoft, FBI and financial sector
In a campaign code-named Operation b54 and authorised by a court in North Carolina, Microsoft worked with the FBI, financial services companies and other partners in order to take action against 1,462 botnets spreading the malware known as Citadel. About five million computers have been infected, with losses caused by the botnets amounting to about half a billion US dollars.
Microsoft says that it began analysing the Citadel botnets in early 2012. In the last week of May 2013, the company filed a civil suit that gave them permission to cut communication between the 1,462 botnets and the infected computers. On 5 June, US Marshals and Microsoft staff seized command-and-control servers in New Jersey and Pennsylvania. CERTs and government agencies in other countries were also able to take action against servers thanks to the close international cooperation between organisations, companies and agencies that was key in Operation b54.
Microsoft emphasises, however, that confiscating a few servers was certainly not enough to completely shut down the Citadel botnets. Not all Citadel servers were seized, and the several million infected computers still need to be cleaned up. In many cases, Citadel locally blocked web sites for anti-virus programs to keep users from cleaning their computers, but those sites should be accessible again now.
The Citadel botnets send keylogging data to their operators, who can then find the victims' online banking login information in order to steal bank data and commit identity theft. Most of the infected computers were found in the US, Europe, Hong Kong, Singapore, India and Australia.
This is the seventh time that Microsoft has taken action against botnets with court authorisation and support from security agencies and other partners; most recently, the company worked with Symantec to take down the Bamital botnet. The latest takedown action is the second large-scale operation that the financial sector has participated in.