Just two months after Microsoft helped take over the Citadel botnet, the company is saying they have taken down 88 percent of the enterprise.
Citadel is a Trojan that steals financial information from a variety of sources. It started as a version of the Zeus malware and moved up in the ranks when attackers wanted to grab larger amounts of money from victims.
Citadel gave attackers the ability to steal user names and passwords for online banking sites, and was able to build thousands of individual botnets around the world.
In June, Microsoft and law enforcement agencies and other security companies, fired up operation that helped disrupt quite a few of the Citadel-based botnets. Working with U.S. Marshals, the company was able to physically remove from data centers some servers used by Citadel botmasters.
The Citadel operation was the latest in a string of anti-botnet maneuvers conducted by the company over the last few years. Microsoft also has been involved in operations that helped take down botnets such as Kelihos, Bamital, Nitol and others.
Part of the operation involved Microsoft sinkholing thousands of domains used by Citadel botmasters for command and control purposes. But, some of those domains turned out to be sinkholes that malware researchers had set up previously in order to track Citadel’s operations. A couple of days after the takedown of Citadel, a Swiss security researcher said several hundred of his sinkholed domains ended up redirected to Microsoft’s servers.
Microsoft officials said Operation b54, the code name for the Citadel takedown, was a success and has made a difference in the botnet’s ability to operate.
“According to our data, as of July 23, our coordinated action against the threat has disrupted roughly 88 percent of the Citadel botnets operating worldwide. In addition, our analysis shows that approximately 40 percent of the computers we believe to have been infected with Citadel and directly impacted by our operation have been cleaned since the time of our action in June, and we continue to work with others to help clean the remaining victims. As I stated in a recent blog post sharing our initial revelations from this operation, we believe that this was a very successful action, and we continue to be pleased with the positive results we’re seeing,” said Richard Boscovich of the Microsoft Digital Crimes Unit.