For over a year, Microsoft and its partners in the financial services community watched a big botnet operation siphon millions of dollars from victims. On Wednesday night, Microsoft announced that in coordination with the FBI, it had moved in to disrupt the massive botnet-based crime ring known as Citadel.

Richard Boscovich, assistant general counsel in the Microsoft Digital Crimes Unit, told eSecurity Planet that there were more than 1,400 botnets associated with this malware. As such, it took Microsoft and its partners a significant amount of time to locate all of the Citadel botnets operating around the world.

"This was a lengthy process and we relied heavily on our financial services and technology industry partners to ensure that we would be able to take aggressive action against this threat," Boscovich said.


The Citadel malware infected PCs with a keylogger that monitored user activity on financial websites. The malware infected more than five million people across 90 countries and stole more than $500 million in assets.

How Did Citadel Malware Infect PCs?

There are a number of different ways that computers were infected with the Citadel malware. Boscovich noted that infection methods included spam, online ads and social engineering attacks that tricked a victim into clicking on a file or link that enables malware to run on their computer.

While anti-virus software is always a recommended best practice for consumer PCs, in the case of Citadel getting anti-virus to run might have been an issue for some victims.

"Microsoft’s research also showed that before Microsoft and its partners disrupted the Citadel botnets, the threat blocked victims’ access to many legitimate anti-virus and anti-malware sites, preventing the sites’ tools from being able to remove the threat from victims' computers," Boscovich said. "With this disruptive action, victims will regain access to these sites. As such, it is possible that the tools of these anti-virus and anti-malware programs may automatically remove the infection from victims’ computers. "

So how did Microsoft and its partners track down and discover the Citadel botnet in the first place?

"Microsoft used both proprietary and industry partner tools to identify the alleged operators of the botnets," Boscovich explained. "Specifically, the tools we used included those provided by Agari, the financial services industry leaders, and other technology industry partners."

Zeus Descendant

According to a blog post from Symantec, the Citadel malware has been around since 2011 and is derived from the Russian-created Zeus. It is sold on underground forums as a kit that equips hackers with payload builders, a command and control server infrastructure and even configuration scripts to target various banks.

More than three-quarters of the attacks targeted financial users in three countries: the U.S., Australia and Italy.

Citadel's creators built in advanced features such as a tool that allows botmasters to use browser injection technology to more quickly push out malware.

Citadel Malware: Lessons Learned

As a result of the Citadel disruption, there have been some lessons learned that will help Microsoft and others to limit the risk of some attacks in the future. Boscovich noted that although this case is ongoing, Microsoft is using the intelligence gained from this operation to work with Internet service providers (ISPs) and community emergency response teams (CERTs) around the world to advance victim cleanup efforts to the greatest extent possible.

"Microsoft will be making this information available through its Cyber Threat Intelligence Program (C-TIP), including the recently-announced cloud-based version of the program," Boscovich said. "Additionally, we will also use this information to build greater intelligence and to inform our next steps."

Overall though, Boscovich stressed that PC users should continue to practice good computer hygiene and keep their systems up to date and not click on unknown links.

Microsoft has posted additional information and tools for malware cleaning at: http://support.microsoft.com/botnets.

Sean Michael Kerner is a senior editor at eSecurity Planet and InternetNews.com. Follow him on Twitter @TechJournalist.