This site uses cookies. By continuing to browse this site you are agreeing to our use of cookies. Find out more.X

Microsoft defends Citadel action after criticism over sinkholing

Share this article:
Microsoft confirms takedown of Mac-malware distributing botnet
Microsoft confirms takedown of Mac-malware distributing botnet

Microsoft has defended itself after criticism was leveraged following its takedown of the Citadel botnet.

 

In early June, Microsoft, the FBI and other companies cut off communication between 1,462 Citadel servers and seized data and evidence from the botnet servers. However the technology giant was criticised for this action by a Switzerland-based researcher, who said that the disruption also ended research being done on the botnet by independent researchers.

 

They said that 'the problem with cyber crime is that it can't be solved with doing takedowns', and said that it is only possible to solve this issue by implementing legislation related to cyber crime, enforce them by getting bad actors arrested and implementing security by design on different layers,

 

“As outlined before, Shadowserver will no longer be able to inform network owners about several thousand Citadel infected computers because the Citadel domain names sinkholed by abuse.ch has been seized by Microsoft,” they said.

 

“According to Microsoft, their goal was to disturb Citadel botnet operations. In my opinion their operation didn't have any big noteworthy impact on Citadel, rather than disturbing research projects of several security researchers and non-profit organisations, including abuse.ch. In my opinion, operation b54 was nothing more than a PR campaign by Microsoft.”

 

The researcher said that talking to other sinkhole operators saw them confirm that several dozen, and for some operators even hundreds of Citadel domain names they had sinkholed, have been seized by Microsoft.

 

“Calculating the numbers together, I can say that nearly 1,000 domain names out of the 4,000 domain names seized by Microsoft had already been sinkholed by security researchers,” they said.

 

“In fact these 1,000 domain names did no longer present a threat to internet users, but were actually used to help to make the internet a better place.”

 

In a statement sent to SC Magazine, Richard Boscovich, assistant general counsel of the Microsoft Digital Crimes Unit, said that the first priority for Microsoft and its partners, including our research partners, in this operation was to help ensure swift victim recovery from this malware.

 

“However, we are committed to providing essential information from our sinkholes to additional key researchers working to support victim remediation as quickly as possible, and to taking steps to evolve the coordination of such efforts in future operations,” he said.

 

Asked if he felt that this was a successful effort in disrupting a botnet in view of this criticism, Boscovich said: “We believe this was a very successful disruptive action, and are confident that we were able to sever most of the Citadel botnets we set out to target. This was also an extremely challenging operation, technologically and logistically, and we're extremely pleased with what we're seeing.

 

“As stated from the outset, the goal of this operation was to protect the public by strategically disrupting Citadel's operation, helping to quickly release victims from the threat, and making it riskier and more costly for the cyber criminals to continue doing business.

 

“As we have done in prior botnet operations, Microsoft is now able to use the intelligence gained from this operation to partner with organisations around the world to help rescue people's computers from the control of Citadel, helping to reduce the size of the ongoing threat that these botnets pose, and make the Internet safer for consumers and businesses worldwide.”

 

He went on to say that Microsoft was working closely with key researchers to further protect the public from Citadel, and the security research community is doing important work on monitoring this threat and other malware variants in the wild.

 

“Microsoft is working to get essential information from our system as quickly as possible to researchers such as Shadowserver to support victim notification, and most importantly, remediation,” he said.

 

“Microsoft's commitment to trustworthy partnership with the research and enforcement community to help protect the public from cyber threats remains unchanged. We will continue to partner with the security community around the world in our disruptive actions as we strive to help protect our customers and increase the risk and costs for cyber crime to both deter crime and put cyber criminals out of business.”

 

Share this article:

SC webcasts on demand

This is how to secure data in the cloud


Exclusive video webcast & Q&A sponsored by Vormetric


As enterprises look to take advantage of the cloud, they need to understand the importance of safeguarding their confidential and sensitive data in cloud environments. With the appropriate security safeguards, such as fine-grained access policies, a move to the cloud is as, or more, secure than an on-premise data storage.


View the webcast here to find out more

More in News

Samsung Galaxy S5 fingerprint scanner 'easily hacked'

Samsung Galaxy S5 fingerprint scanner 'easily hacked'

Single step authentication on Galaxy leaves PayPal accounts open to abuse say German researchers.

MSWin 8.1 users must update or lose security patches

MSWin 8.1 users must update or lose security ...

Organisations run the risk of being left defenceless against attackers unless they upgrade from MS Win 8.1

Communication gap indentified between IT and management

Communication gap indentified between IT and management

Bad news is filtered out of communicaiton to the C-suite and 63 percent of IT staff only start talking after a breach has taken place.