Microsoft disrupts cybercrime networks that stole $500M
Citadel malware infects millions in 90 countries
Microsoft Corp., the FBI and other partners have taken down more than 1,400 networks of malware-infected computers estimated to have been used to steal $500 million from bank customers and businesses worldwide by recording keystrokes to obtain financial logins and passwords.
The company successfully disrupted botnets controlling millions of computers via a type of malware called Citadel, Microsoft said in a news release Wednesday.
The malware, which is estimated to have affected more than five million people in more than 90 countries, records the keystrokes of people who use infected computers. That allows the criminals controlling the software to steal login information and passwords when the victims do online banking or access other online accounts.
What is a botnet?
A botnet, or robot network, is a group of web-linked computers — sometimes called zombies — that have been commandeered, in some instances by criminals, to perpetrate all kinds of online nastiness.
Typically a 'bot' is installed on a machine through a trojan, an insidious program that can find its way into an insufficiently protected computer in a variety of ways, such as when a user clicks on a link to an infected web page or e-mail message, views an infected document, or runs an infected program.
Once the bot has made itself at home, it "opens the doors" of its new host computer to its master, who can instruct the machine to engage in various nefarious activities such as sending out spam and phishing e-mails, or launching distributed denial of service or DDOS attacks.
In some cases, these nasty little robots can steal personal data and return it to a central site to be used for identity theft purposes.
Microsoft took down the botnets Wednesday by sending employees, escorted by the U.S. Marshals, to seize computer servers from two data hosting facilities in New Jersey and Pennsylvania along with other data and evidence from the botnets, the company said in a news release.
The seizure was authorized by a North Carolina court after Microsoft filed a civil suit against the cybercriminals operating the Citadel botnets last week.
Meanwhile, the U.S. Federal Bureau of Investigation obtained and served court-authorized search warrants related to the botnets, the FBI said on its news blog Thursday.
Microsoft and the FBI have since provided information to the international Computer Emergency Response Teams and foreign law enforcement, respectively, so they can take action on botnet servers located outside the U.S. if they choose to do so.
Botnets likely not fully eliminated: Microsoft
"Due to the size and complexity of the threat, Microsoft and its partners do not expect to fully eliminate all of the botnets using Citadel," Microsoft said in a statement.
"However, it is expected that this action will significantly disrupt the botnets’ operation, making it riskier and more expensive for the cybercriminals to continue doing business and allowing victims to free their computers from the malware."
Microsoft said it will work with internet service providers and Computer Emergency Response Teams around the world to notify people if their computer is infected with Citadel. Those who are infected are urged to remove it using anti-virus or malware-removal software, such as free tools offered by Microsoft.
The company added that product key generators for outdated Windows XP software were used to help develop the malware.
"This discovery showcases that in addition to exercising safe online practices like running modern, updated and legitimate software and using firewall and antivirus protection, people also need to be using modern versions of Windows software to better prevent malware, fraud, and identify theft," Microsoft said.
Microsoft and the FBI worked in partnership with the Financial Services — Information Sharing and Analysis Center (FS-ISAC), NACHA — The Electronic Payments Association, the American Bankers Association (ABA) and technologies companies Agari, A10 Networks and Nominum.