Citadel takedown took down security researchers too
Microsoft's takedown of 1462 botnets last week has been questioned regarding the collatoral damage caused and also for its effectiveness. A Swiss security researcher, abuse.ch, reported that, of the domains neutralised by Microsoft, an estimated 25% were sinkholes operated by security researchers. Sophos also states that, according to a snapshot of 72 Citadel C&C servers, over 50% were not listed by Microsoft for takedown, 29% were listed and sinkholed, while 20% were left apparently untouched despite being listed.
Sinkholing is a technique where a command-and-control domain for a botnet is redirected to a server under the control of a security researcher where it can be used to measure traffic and activity of the associated botnets. Microsoft's takedown involved sinkholing the domains it had collated and redirecting those domains to its servers. This appears to have included not only domains already sinkholed by abuse.ch but also ones belonging to other security researchers. The bots connecting to Microsoft's sinkhole appear to be receiving valid configuration files which remove the blocking of anti-virus domains allowing the systems to update their AV and, hopefully, remove the botnet from them.
The new configuration files also redirected the botnet to microsoftinternetsafety.net in an attempt to trap the C&C control. The researcher notes that sinkhole operators had considered this course of action in the past but mostly concluded that making an unauthorised change to a computer, even one under the control of a botnet, could be read as violating local laws and therefore decided against it.
The abuse.ch researcher criticises Microsoft's handling of the takedown, believing it will have had little effect on the cyber-criminals behind the botnets who will, most likely, be back with more effective defences for their botnets. In the meantime, the Shadowserver Foundation, to whom the abuse.ch researcher's data was passed, will be unable to report on "several thousand Citadel infected computers".