Citadel is spyware that uses a keylogger to obtain sensitive information such as bank account details before sending the data back to the C&C servers. Microsoft has been investigating both the malware and the criminal infrastructure since early 2012. It is believed that during that period, data stolen by Citadel has been used to steal $500 million from bank accounts around the world, and that some five million people have been affected. Citadel infections are primarily concentrated in the US, Europe, Hong Kong, Singapore, India, and Australia, although it is believed that there are victims in more than 90 countries.
On June 5, Microsoft and US Marshals seized data and evidence, including servers, from two data hosting facilities in New Jersey and Pensilvania. It also provided evidence to international CERTs so that they could take any necessary action in accordance with their own jurisdictions outside of the US. The effect has been the disruption of 1462 Citadel botnets.
The investigation codenamed Operation b54 is, says Richard Boscovich, assistant general counsel at the Microsoft Digital Crimes Unit, “our most aggressive botnet operation to date.” It marks “the first time that law enforcement and the private sector have worked together in this way to execute a civil seizure warrant as part of a botnet disruption operation.”
Richard McFeely, an assistant director at the FBI, said, “Today’s actions represent the future of addressing the significant risks posed to our citizens, businesses, and intellectual property by cyber threats and malicious software, which are often enabled by counterfeit and unlicensed software.” That is, the creation of public-private relationships to fight cybercrime.
McFeely’s reference to ‘counterfeit software’ echoes comments from Boscovitch. We found, said the latter, “that cybercriminals are using fraudulently obtained product keys created by key generators for outdated Windows XP software to develop their malware and grow their business, demonstrating another link between software piracy and global cybersecurity threats.” The solution to this particular aspect of the threat is to upgrade to a new OS since Vista and Windows 7/8 have features to protect against the misuse of product keys.
As with all botnet operations this is a disruption, albeit a major disruption, rather than the destruction of Citadel. “As Reuters first reported,” continued Boskovitch, “due to Citadel’s size and complexity, we do not expect to fully take out all of the botnets in the world using the Citadel malware. However, we do expect that this action will significantly disrupt Citadel’s operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business.”
Reuters explained, “While the criminals remain at large and the authorities do not know the identities of any ringleaders, the internationally coordinated take-down dealt a significant blow to their cyber capabilities.” McFeely told Reuters that the FBI is working closely with Europol and other agencies to catch the unknown criminals. Since Citadel is programmed not to attack PCs or financial institutions in Russia and Ukraine, it is believed they reside there. Nevertheless, Microsoft has filed a civil lawsuit, unsealed yesterday, against the suspected ringleader John Doe No 1 – aka Aquabox – who is suspected of creating and maintaining the malware.