Microsoft and FBI Tackle Citadel Banking Trojan
CREDIT: Gunnar Assmy/Shutterstock.com
Microsoft is better known as a software provider than as an international crime
-fighter, but its recent operations against Russian cybercriminals may change some minds.
In a joint operation with the FBI, Microsoft yesterday (June 5) took down more than 1,000 botnets controlled by the Citadel banking Trojan.
Citadel is a particularly nasty banking Trojan that has targeted customers of major financial institutions, including Citigroup, JPMorgan Chase and Bank of America, among others.
Over the last year and a half, Citadel has cost the banks, which must reimburse losses from consumer accounts, more than $500 million, according to Reuters. (Commercial bank accounts are not always reimbursed, and many small businesses have lost millions.)
Banking Trojans operate by infecting Web browsers, often via a "drive-by download" from a corrupted website, although Microsoft said pirated copies of Windows were also used in this case.
A banking Trojan will lie dormant until the infected browser accesses an online bank account, at which point the Trojan captures the login information and passes it to a human controller, typically in Eastern Europe.
After being infected by Citadel malware, computers also often get drafted into a botnet.
Botnets allow criminals to leverage remote computers for spam attacks and malware distribution; they also provide criminals with the means to steal financial information and fill their own coffers.
To spearhead its counterattack, Microsoft filed a civil lawsuit in North Carolina yesterday against an online criminal known only as "Aquabox," as well as 81 other unnamed conspirators.
The lawsuit, in all likelihood, will not accomplish much, since Aquabox is unlikely to show up in his own defense.
Furthermore, Aquabox is probably located in Russia or Ukraine. To this end, Microsoft filed the suit in both English and Russian.
A bank hacker could operate from anywhere in the world, but Citadel's targets are telling. The malware has stolen from companies all across North America, Europe, Asia and Australia, but has bypassed Russian and Ukranian institutions. It's assumed by Western experts that Russian police will mostly ignore domestic cybercriminals who attack only foreign targets.
Microsoft and the FBI collaborated in a venture called "Operation b54," which successfully took down 1,000 of Citadel's 1,400 botnets by seizing command-and-control servers worldwide,
About 455 of the seized servers were in the U.S. Russian cybercriminals often use assumed names to rent server space from American hosting companies.
While the Citadel operation will recover, Richard Boscovich of the Microsoft Digital Crimes Unit points out that Operation b54 has bought infected users time to repair their systems.
"Citadel blocked victims' access to many legitimate anti-virus/anti-malware sites, making it so people may not have been able to easily remove this threat from their computer," Boscovich wrote in an official Microsoft blog posting.
Now that users can remove the harmful software from their machines, Citadel's convalescence may prove slow and anemic. [See also: America's Top 10 Least Secure Cities]
Since cybercrime happens across international borders, Boscovich also hopes that Operation b54 will set the tenor for future counterattacks.
"Operation b54 serves as a real world example of how public-private cooperation can work effectively within the judicial system, and how 20th century legal precedent and common law principles dating back hundreds of years can be effectively applied toward 21st century cybersecurity issues," Boscovich wrote.
This is not the first time Microsoft has tackled cybercriminal botnets.
In March 2012, Microsoft brought down 800 botnets created by the Zeus banking Trojan but under the control of different criminal groups.
Whereas Zeus is used by many different criminal groups, Citadel is used by only one. Because of that, Microsoft and the FBI may be able to figure out Aquabox's identity and put a stop to Citadel once and for all.
Cybercrime is generally profitable because it's easy to do and hard to get caught, but if Operation b54 is any indication, that could change soon.