(Naked Security) by James Wyke – As we mentioned last week, Microsoft recently fought back against more than 1,400 Citadel botnets by sinkholing their Command and Control (C&C) infrastructure.
SophosLabs has been monitoring Citadel for some time, including individual botnets such as those targeting Canadian institutions, so I decided to take a closer look at the impact of the takedown.
I took a snapshot of the active Citadel botnets we are currently seeing and cross-referenced 72 C&C servers with the list published by Microsoft.
Then, I verified where the DNS records of those servers were now pointing.
Worryingly, I found that 51% of the 72 domains analysed did not appear in Microsoft’s published list.
A more worrying 20% of the Citadel domains were on Microsoft’s list but were not ending up at the sinkhole.
This implies either that the sinkholing was unsuccessful or that the domains have already been re-appropriated by the Citadel botnet owners.
Furthermore, as described by Swiss researchers at abuse.ch, Microsoft has caused the same sort of collateral damage as in its last Zeus botnet takedown.
As well as sinkholing the Zeus malware servers, Microsoft also knocked out many servers that belonged to security researchers and provided a valuable service to the public by notifying system administrators that they had infected computers on their network…read full article