Microsoft's anti-botnet tactics draw fire from security crews
Microsoft has come under fire for the recent takedown of the Citadel botnet, which some security researchers claim disrupted their legitimate operations while having no long-lasting impact on Internet security.
The criminal operation distributed keylogging malware that recorded the victims' usernames and passwords when logging into banking and other web sites. Losses tied to Citadel exceeded $500 million, said Microsoft.
Busting bots or not?
Citadel was the seventh Microsoft-led operation against botnets. While some researchers commend the company for causing financial pain to cybercriminals, other researchers see the operations as public relations stunts that run roughshod over their work to battle botnets.
A Swiss researcher in the nonprofit organization abuse.ch said in a recent blog post that roughly a quarter of the 4000 domain names seized by Microsoft and redirected to its server were actually pointed to the systems of researchers gathering information on Citadel.
"In my opinion, [Microsoft's] operation didn't have any big noteworthy impact on Citadel, rather than disturbing research projects of several security researchers and non-profit organizations, including abuse.ch," the unidentified researcher said. "In my opinion, Operation b54 was nothing more than a PR campaign by Microsoft."
Infected computers in a botnet use the domain names in communicating with command-and-control (C&C) servers that send back configuration files containing many settings, such as where to send stolen data. Researchers will often seize the domain names and redirect the infected computers to their servers, called sinkholes, to study the botnet.
In the case of abuse.ch, the information it gathers is handed over to another nonprofit research firm called the Shadowserver Foundation. The latter organization sends the information it receives from researchers to more than 1500 organizations and 60 national Community Emergency Response Teams.
The data gathered by researchers include the IP addresses of infected systems. This is particularly important because organizations associated with Shadowserver can check whether any of the systems are on their networks.
Promises to alert the infected systems
Microsoft said it plans to send information from its sinkholes to "key researchers," such as Shadowserver, so victims can be notified and their computers cleaned of malware.
"As stated from the outset, the goal of this operation was to protect the public by strategically disrupting Citadel's operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business," said Richard Boscovich, assistant general counsel for Microsoft Digital Crimes Unit, last week.
Also irking some researchers are configuration files Microsoft sends to the computers of victims trapped in a botnet. In the case of Citadel, the files notified victims their systems were infected and freed the computers to download anti-virus software to remove the malware. Within the configuration files distributed by the botnet operators was a module preventing infected computers from downloading antivirus applications.
While supporting Microsoft's operation in general, Chester Wisniewski, a senior security adviser for Sophos, said some security pros are against any vendor modifying a person's computer without permission, even if the intention is good. "For some of the more hardcore security research people, that's a very dangerous precedent to set," he said.
Boscovich argued that Microsoft did not change victims' computers, but rather brought them back to the state they were in before the infection. In addition, the federal court order that permitted Microsoft and the Federal Bureau of Investigation to disrupt the botnet also allowed the company to distribute configuration files to any infected computer checking into the "U.S.-based command and control structure for Citadel under the court's jurisdiction."
"For command-and-control infrastructure in other countries, we have relied on the voluntary assistance of CERTs in each country to determine the appropriate approach, pursuant to local law and considerations," Boscovich said.
Rather than flashy botnet takedowns, some researchers believe stronger laws; tougher enforcement and designing security within the application, network and operating system layers of a computer would be more effective.
Microsoft's strategy of seizing domain names to disrupt botnets can lead to cybercriminals taking more damaging action, according to the abuse.ch researcher. For example, in 2011 when researchers were aggressively shutting down the command-and-control domains of the ZeuS-Licat, also known as the Muorfet, botnet, the operators switched to a peer-to-peer architecture to distribute commands to infected systems.
Such an architecture made the botnet traffic harder to detect on the networks of Internet service providers and even harder to block, the blog said.
While experts agree that Microsoft damaged the Citadel botnet, they also say the operators will be back. "This is a big blow to the criminals, but it certainly isn't going to put them out of business," Wisniewski said.