Tag Archives: citadel

Collateral Damage: Microsoft Hits Security Researchers along with Citadel

Before I start this blog post, I would like to express that it is not my intention to offend any person or organisation. Please understand that I’m currently very disappointed and in some ways angry because of the story described below.

Operation b54

As most of you have already read in the press, the Microsoft Digital Crimes Unit (DCU) recently carried out an operation called Operation b54 to shut down Citadel botnet C&C servers. According to Microsoft, they were able to disturb over 1’400 Citadel botnets around the world by seizing more than 4’000 domain names and pointing them to a server operated by Microsoft. Technically, this is what we call “sinkholing”.

Sinkholing domain names isn’t something new, in fact this technique has been around for ages and was already used by the Conficker Working Group and their operation to hijack the Conflicker botnet. The purpose of a sinkhole is the same for the most part: collecting information about infected computers that are connecting to the sinkhole and report these back to the associated network owner so that the responsible end user can be notified about the infection and remove the malware from their computer.

These days there are many sinkholes around, most of them are operated by security researchers. But there are also many commercial sinkholes out there, that are being used by security service providers to gather information about infected computers and sell that information to their customers. As a security researcher I spend a lot of time in researching botnets in my spare time, and abuse.ch is running such a sinkhole as well (in fact for years). The goal is simple: sinkhole malicious botnet domains (not only limited to any specific Trojan / malware family) and report them to Shadowserver. Shadowserver, a non-profit organisation like abuse.ch, then informs the associated network owners about the infections reported by my sinkhole, in addition to infections reported by their own sinkholes and sinkholes run by other operators. In fact, every Computer Emergency Response Team (CERT), Internet Service Provider (ISP) and network owner can get a feed from Shadowserver for their country / network for free. For the time being, Shadowserver notifies more than 1’500 organisations and 60 national CERTs about infected computers within their responsibility.

Today, I’ve suddenly noticed that several domain names disappeared from my sinkhole. I started to investigate and noticed these are now all pointing to a server in Microsoft’s network range ( It was quite obvious to me what had happened. Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by abuse.ch awhile ago (I want to outline here that my sinkhole is appropriately tagged and clearly shows that it is actually a sinkhole of abuse.ch). I pulled down the list of Citadel domains that Microsoft seized and checked it against my sinkhole’s domain list. I was quite surprised about the result: Microsoft seized more than 300 domain names that where sinkholed by abuse.ch. I was not only surprised but also quite disappointed: Microsoft already showed similar behaviour in their operation against ZeuS last year were they seized thousands of ZeuS botnet domains, including several hundred domain names that were already sinkholed by abuse.ch. Due to this, I’ve set up a (non-public) Sinkhole Registry for LEA and security organisations to avoid similar situations in the future. I had hoped that Microsoft had learned their lesson, but apparently nothing has changed and my efforts didn’t change anything.

Since Citadel domain names previously sinkholed by abuse.ch have been grabbed by Microsoft, Shadowserver will not be able to report the IP addresses of infected clients calling home to these domains to the network owners any more.

Today, I’ve talked to several other sinkhole operators asking them about their experience with Microsoft. All of them confirmed to me that several dozens and for some operators even hundreds of Citadel domain names they had sinkholed have been seized by Microsoft as well. Calculating the numbers together, I can say that nearly 1’000 domain names out of the ~4’000 domain names seized by Microsoft had already been sinkholed by security researchers. In fact these ~1k domain names did no longer present a threat to internet users, but were actually used to help to make the internet a better place.

Unfortunately, this is just the tip of the iceberg. When checking out Microsoft’s sinkhole, I noticed that they are actively sending out valid Citadel configuration files to the connecting bots. A sample configuration file served by Microsoft’s sinkholes looks like this:

url_loader (binary download)

entry “AdvancedConfigs” (backup config files)

This configuration file causes that the blockage of websites of AV vendor gets removed (so the on the infected computer installed AV product can load the most recent definition), but also that the main C&C configuration including the fall-back (backup) C&C domains to get overwritten by servers operated by Microsoft (microsoftinternetsafety.net):

Domain Administrator
Microsoft Corporation
One Microsoft Way
Redmond WA 98052
domains@microsoft.com +1.4258828080 Fax: +1.4259367329

Domain Name: microsoftinternetsafety.net

Registrar Name: Markmonitor.com
Registrar Whois: whois.markmonitor.com
Registrar Homepage: http://www.markmonitor.com

Due to this, Microsoft ensures that once a bot connects to their sinkhole it stays there and won’t try to reach out to a different C&C. In theory, this is a very good idea and I have to say that many sinkhole operators had the same thought years ago. But unlike Microsoft, most of the sinkhole operators came to a different conclusion: Sending out valid configuration files de facto changes settings of a computer without the consent or knowledge of the user (computer owner). In most countries, this is violating local law.

A very important point which Microsoft either didn’t take into account or chose to ignore, are potential countermeasures by the criminals. Let me try to make two examples:

From ZeuS-Licat (aka Murofet) to P2P ZeuS (aka ZeuSv3 aka Gameover ZeuS)

In 2011 ZeuS-Licat (also known as Murofet), a derivative of ZeuS, was using a Domain Generation Algorithm (DGA) which an infected computer (bot) used to “calculate” the current C&C domain. There were a lot of effort by security researchers and information security organisations to shutdown the daily C&C domains immediately after they became active. Every domain name was listed on ZeuS Tracker as soon it went active. Obviously, this effort popped up on the criminals radar quite fast. It didn’t take long for the criminals to roll out a new version of ZeuS-Licat – P2P ZeuS was born. P2P ZeuS is no longer using a central C&C infrastructure that could be sinkholed or take down, rather than using a sophisticated P2P technique to receive commands from the botnet herder and send stolen data to the criminals. Since the source and destination ports used by P2P ZeuS are randomized, its hard to detect such traffic in an ISPs network environment, and even harder to actually block it. A network owner needs an IPS/IDS or a deep packet inspection (DPI) system to detect or block such P2P ZeuS activities.

Torpig – RSA signed C&C communication

Torpig is a highly sophisticated e-banking Trojan that has been around for years. There are various organisations out there doing sinkhole operations on the Torpig botnet. A while ago, one of these operators started to send out valid configuration files to the connecting bots which caused that the bots stay on that specific sinkhole. This is in fact exactly what Microsoft is doing at the moment for Citadel. Of course, it was quite obvious that the criminals would implement countermeasures soon. It didn’t take long for the Torpig gang to roll out a new version of their Trojan that implemented an RSA signed C&C communication. While sinkholing is still possible, it is no longer possible to send a valid response back to the infected computer (bot) unless you know the private RSA key (which is only known to the Torpig gang).


It is common that such takedowns trigger countermeasures by the cybercriminals. Imagine: If someone breaks into houses with a baseball bat and you seizing his bat, what will that person likely do next? If he wants to continue, he will just buy a new baseball bat – or maybe he will even buy a gun next time, to make it harder to take him down. When you apply this to the Citadel case it’s obvious that the criminals using Citadel won’t stop doing cybercrime. It may even have the bad effect of criminals updating their software to prevent that such takedowns are possible in the future again (eg. by implementing P2P techniques like ZeuS-Licat or RSA signed C&C communication for Torpig). The problem with cybercrime is that it can’t be solved with doing takedowns. It’s only possible to solve this issue by implementing legislation related to cybercrime, enforce them by getting bad actors arrested and implementing security by design on different layers (operating system, network layer etc.).

As outlined before, Shadowserver will no longer be able to inform network owners about several thousand Citadel infected computers because the Citadel domain names sinkholed by abuse.ch has been seized by Microsoft.

According to Microsoft, their goal was to disturb Citadel botnet operations. In my opinion their operation didn’t have any big noteworthy impact on Citadel, rather than disturbing research projects of several security researchers and non-profit organisations, including abuse.ch. In my opinion, operation b54 was nothing more than a PR campaign by Microsoft.

Follow me on Twitter: https://twitter.com/abuse_ch

Delta Airlines Spam Lead To Citadel

Today I’ve seen the following spam campaign hitting my spamtraps:

From: Delta Airlines < tickets@delta.com >
Subject: Your Order#XXXXXX – APPROVED

Dear Customer,

Your credit card has been successfully processed.

ELECTRONIC 628190172
DATE & TIME / FEB 19, 2013, 12:45 AM
ARRIVING / Washington

Please download and print your ticket from the following URL:

For more information regarding your order, contact us by visiting :

Thank you
Delta Airlines.

The hyperlink referenced in this spam campaign leads to a hijacked website that serves a ZIP archive that contains a malicious screen saver (.scr) file:

URL: http://iemvirtual.com.ar/my/pdf_delta_ticket.zip

Filename: pdf_delta_ticket.scr (pdf_delta_ticket.zip)
File size: 291’840 bytes
MD5 hash: f66358bf351e6038b9a75b2f0f01860d
Virustotal: 11 / 44

The file pdf_delta_ticket.scr contains Citadel, a derivative of the famous ZeuS banking trojan. Unlike other binaries I’ve seen being spammed recently, this binary seems to be packed using a packer that is completely VM-aware – hence it will only run on a native machine.

Once infected, the infected computer tries to contact several Citadel C&C servers (botnet controllers). This Citadel campaign is using various C&C servers, all located in the same subnet:

Citadel config/binary URLs:


Citadel dropzones:


They are already listed on ZeuS Tracker:

As far as I can see, this Citadel campaign currently attacks BMO Financial Group, RBC Royal Bank and CIBC. All mentioned C&C IP addresses are within the same subnet that belongs to a (likely fake) internet service provider called “Aztec ltd”:

inetnum: –
netname: ATCTEK-NET
descr: Aztec ltd.
country: RU
org: ORG-Al253-RIPE
admin-c: MRA85-RIPE
tech-c: MRA85-RIPE
mnt-lower: RIPE-NCC-END-MNT
mnt-by: MNT-ATCTEK
mnt-routes: MNT-ATCTEK
mnt-domains: MNT-ATCTEK
source: RIPE # Filtered

organisation: ORG-Al253-RIPE
org-name: Aztec ltd.
org-type: OTHER
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
remarks: ***************************************
remarks: in case of ABUSE or active issues please contact us
remarks: abuse/administrative email: abuses@aztec-ltd.ru
remarks: ***************************************
remarks: All other notifications to: support@aztec-ltd.ru
abuse-mailbox: abuses@aztec-ltd.ru
mnt-ref: MNT-ATCTEK
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

person: Mamarasylov Rystam Aleksandrovich
address: Russia, Saint-Petersburg, Gangytskaya str., 14.
phone: +7-901-903-43-76
nic-hdl: MRA85-RIPE
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

% Information related to ‘’

descr: AZCTEK route
origin: AS199079
mnt-by: MNT-ATCTEK
source: RIPE # Filtered

When you visit their website (www.aztec-ltd.ru), you will just see an output of phpinfo(). Quite suspect for an internet service provider, isn’t it? Aztec isn’t new to me, I’ve seen a lot of Citadel C&C and webinject servers hosted there recently, used to commit financial fraud (ebanking fraud).

Taking a look at the global BGP routing table, I see two upstream providers providing IP transit to Aztec:

AS199079 AS path

Source: http://bgp.he.net/AS199079#_graph4

Their first upstream is AS34109 (CB3ROB Ltd, Germany). CB3ROB gets its upstream connectivity from AS6453 (Tata Communications, India) and AS12327 (idear4business, Great Britain). Their second upstream is AS56598 (KartLand Ltd, Russia). KartLand gets its upstream connectivity from AS29226 (CJSC Mastertel, Russia). Most of these network names sound familiar to botnet researchers. AS199079 (AZCTEK) and AS56598 (KartLand) are obviously operated by cybercriminals. I recommend you to drop any packets from / to those networks at your network’s edge. AS34109 (CB3ROB) and AS12327 (idear4business) have shady backgrounds. I’ve seen various botnet C&Cs hosted in their IP space. If you run your own network, you might want to look into traffic from / to these AS numbers as well

AS199079 ATCTEK-AS Aztec ltd. (likely rogue)

AS56598 ASKARTLAND KartLand Ltd. (likely rogue)

AS34109 CB3ROB Ltd. & Co. KG (suspect)


Such spam campaigns are not uncommon; I see 1-3 of those on a daily basis. However, what is special with this specific campaign is that is wasn’t sent out by a (spam) botnet (usually Cutwail, Festi or Kelhios), but through compromised email servers. So far, I’ve seen roughly 30 sending SMTP servers (ab)used in this spam campaign: server1.doremomedia.ch uhhosting3065.united-hoster.com n2.gigared.com smtp.datacomm.ch fallback.datacomm.ch webform.pipeten.co.uk cat67.thaihostserver.com relayn.netpilot.net maranata.xtnet.com.ar open2.snappyservers.com mia244.sinspam.com mia246.sinspam.com mia248.sinspam.com mia249.sinspam.com mia250.sinspam.com mia251.sinspam.com mia252.sinspam.com mia253.sinspam.com moab.cloud.viawest.net cg-p07-ob.rzone.de cg-p07-ob.rzone.de mail.antivirus.flexwebhosting.nl web12.vsmedia-europe.com domail2.emirates.net.ae ks206474.kimsufi.com smtp6.zitcom.dk smtp7.zitcom.dk node04.serverdeals.org web-srv01.directadmin.alb.nl.weservit.nl s-relay.freehost.com.ua envio.publimail.cl golias.apis.com.br host199.porar.com mail.threvon.nl heb62075.ikoula.com server74.ilap.com

Since the criminals are using compromised email servers, many DNSBLs are failing to catch those because most of them are focused on botnet or snowshoe spam. Hence the criminals can be sure that most of these spam mails are getting delivered to the victims mailbox.

You can protect yourself / your network from this threat by doing a few simple things:

* delta.com does have an SPF record that defines the permitted senders for this specific domain name