Microsoft has come under fire for the recent takedown of the Citadel botnet, which some security researchers claim disrupted their legitimate operations while having no long-lasting impact on Internet security.
The criminal operation distributed keylogging malware that recorded the victims' usernames and passwords when logging into banking and other web sites. Losses tied to Citadel exceeded $500 million, said Microsoft.
Citadel was the seventh Microsoft-led operation against botnets. While some researchers commend the company for causing financial pain to cybercriminals, other researchers see the operations as public relations stunts that run roughshod over their work to battle botnets.
A Swiss researcher in the nonprofit organization abuse.ch said in a recent blog post that roughly a quarter of the 4,000 domain names seized by Microsoft and redirected to its server were actually pointed to the systems of researchers gathering information on Citadel.
"In my opinion, [Microsoft's] operation didn't have any big noteworthy impact on Citadel, rather than disturbing research projects of several security researchers and non-profit organizations, including abuse.ch," the unidentified researcher said. "In my opinion, Operation b54 was nothing more than a PR campaign by Microsoft."
Infected computers in a botnet use the domain names in communicating with command-and-control (C&C) servers that send back configuration files containing many settings, such as where to send stolen data. Researchers will often seize the domain names and redirect the infected computers to their servers, called sinkholes, to study the botnet.
In the case of abuse.ch, the information it gathers is handed over to another nonprofit research firm called the Shadowserver Foundation. The latter organization sends the information it receives from researchers to more than 1,500 organizations and 60 national Community Emergency Response Teams.
The data gathered by researchers include the IP addresses of infected systems. This is particularly important because organizations associated with Shadowserver can check whether any of the systems are on their networks.
Microsoft said it plans to send information from its sinkholes to "key researchers," such as Shadowserver, so victims can be notified and their computers cleaned of malware.
"As stated from the outset, the goal of this operation was to protect the public by strategically disrupting Citadel's operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business," said Richard Boscovich, assistant general counsel for Microsoft Digital Crimes Unit, on Wednesday.
Also irking some researchers are configuration files Microsoft sends to the computers of victims trapped in a botnet. In the case of Citadel, the files notified victims their systems were infected and freed the computers to download anti-virus software to remove the malware. Within the configuration files distributed by the botnet operators was a module preventing infected computers from downloading antivirus applications.
Sign up for MIS Asia eNewsletters.