Microsoft defends sinkholing Citadel

Microsoft has defended itself after criticism was leveraged following its takedown of the Citadel botnet.

In early June, Microsoft and the FBI severed communication between 1462 Citadel servers and seized data and evidence from the botnet servers.

The technology giant was criticised by Switzerland-based ShadowServer researcher who said that the disruption also killed research into the botnet by independent researchers.

They said cyber crime could only be solved with enforced legislation not takedowns.

“Shadowserver will no longer be able to inform network owners about several thousand Citadel infected computers because the Citadel domain names sinkholed by abuse.ch has been seized by Microsoft,” they said.

“In my opinion their operation didn't have any big noteworthy impact on Citadel, rather than disturbing research projects of several security researchers and non-profit organisations, including abuse.ch.

"In my opinion, operation b54 was nothing more than a PR campaign by Microsoft.”

The researcher said hundreds of Citadel domain names they had sinkholed were seized by Microsoft.

“...nearly 1000 domain names out of the 4000 domain names seized by Microsoft had already been sinkholed by security researchers,” they said.

“In fact these 1000 domain names did no longer present a threat to internet users, but were actually used to help to make the internet a better place.”

 Microsoft Digital Crimes Unit assistant general counsel Richard Boscovich said the first priority was to help ensure swift victim recovery from the malware.

“However, we are committed to providing essential information from our sinkholes to additional key researchers working to support victim remediation as quickly as possible, and to taking steps to evolve the coordination of such efforts in future operations,” he said.

Asked if he felt that this was a successful effort in disrupting a botnet in view of this criticism, Boscovich said: “We believe this was a very successful disruptive action, and are confident that we were able to sever most of the Citadel botnets we set out to target. This was also an extremely challenging operation, technologically and logistically, and we're extremely pleased with what we're seeing.

“As stated from the outset, the goal of this operation was to protect the public by strategically disrupting Citadel's operation, helping to quickly release victims from the threat, and making it riskier and more costly for the cyber criminals to continue doing business.

“As we have done in prior botnet operations, Microsoft is now able to use the intelligence gained from this operation to partner with organisations around the world to help rescue people's computers from the control of Citadel, helping to reduce the size of the ongoing threat that these botnets pose, and make the Internet safer for consumers and businesses worldwide.”

He went on to say that Microsoft was working closely with key researchers to further protect the public from Citadel, and the security research community is doing important work on monitoring this threat and other malware variants in the wild.

“Microsoft is working to get essential information from our system as quickly as possible to researchers such as Shadowserver to support victim notification, and most importantly, remediation,” he said.

“Microsoft's commitment to trustworthy partnership with the research and enforcement community to help protect the public from cyber threats remains unchanged. We will continue to partner with the security community around the world in our disruptive actions as we strive to help protect our customers and increase the risk and costs for cyber crime to both deter crime and put cyber criminals out of business.”

This article originally appeared at scmagazineuk.com