Online

After The Bust: How Taking Down One Botnet Killed 98 Per Cent Of Australian Wire Fraud

Microsoft’s Global Cybercrime Center is a headline-factory. For years the Center, along with its 100 internet security spooks around the world — have worked to take down fraudulent software operations, botnets and baddies compromising the privacy and security of Microsoft customers. It was one particular botnet, however, that had a profound impact on the way Australians deal with their money online. Here’s what happened after the bust.

It was called Citadel, and it was a doozy. If you’ve never heard of it, count yourself lucky.

It was a financial trojan that infected your computer and had the smarts to know when you’d be entering information into forms provided by financial institutions around the world. Once it had your information, it could be used to siphon money away from your account. It affected Australian institutions like the National Australia Bank, and had to be stopped.

Working out of the Global Cybercrime Center in Redmond, Microsoft’s Forensics team studiously researched Citadel to figure out what made it tick. Microsoft started with raw data: who was being infected, where, when and how badly. Eventually, the Cybercrime team discovered that the Citadel botnet was far more sophisticated than they had first imagined.

The creators were selling the Citadel kit on underground web forums to anyone who wanted to buy it and start scamming on their own. They also sold additional modules to the Citadel kit that would allow you to do more with your scam. The standard kit just included key logging software that would infect zombie computers and continuously ping data back to the command and control PC. The add-on kits, however, allowed scammers to intercept funds in real time from different online banking pages around the world. Another module also allowed you to perpetrate a man-in-the-middle-style attack that would spoof what the user would see on their banking screen. Fund amounts and bank balances would be manipulated so that the people who had been scammed had no idea, allowing unauthorised wire transfers more time to complete.

Researchers needed to understand this botnet, so they started mapping the infection around the world, finding that tens of millions of devices were affected around the world. Using PowerMaps in Excel, Microsoft was able to see that the most infected region in the world was Western Europe, with a line of demarcation seemingly stopping the infection dead around Russia and the Ukraine. But how did a trojan with no discernible knowledge of the world know to stop at Russia and the Ukraine, but still infect everyone else it came into contact with?

Further study revealed that the botnet wouldn’t install on the user’s computer if it figured out they had their language set to Russian Cyrillic. That meant the authors were protected from the virus, as were local law enforcement bodies. By not tipping off the locals, the scammers stood a better chance at getting away with it.

That’s when the legal team took over and started working on gathering enough evidence to show to a court. An order from a judge would allow Microsoft to intercept the command and control PC giving the botnet its instructions to scam people’s bank accounts, and in mid-2013 Microsoft did just that, severing the connection and taking control of infected computers.

It updated whitelists to allow the PCs to update their anti-virus software, and blacklisted connections back to the original command and control PCs so that users couldn’t be re-infected.

In Australia, the Citadel infection was massive. In Sydney alone, 31,700 infected computers were losing money hand over fist every single day during the infection period.

It has almost been a year since the Citadel take-down, and research into the ripple effects of the botnet have shown that in Australia alone, wire fraud was reduced by 98 per cent as a result. Every day, however, thousands of computers are still pinging Microsoft’s command and control centre for instructions on what they should do, meaning that more and more people are still infected and clicking on stupid links. So far, over $500 million has been lost to the Citadel botnet alone.

Microsoft and global law enforcement continue to chase the creators of the Citadel botnet, but at least the money is safe for now.

Luke Hopewell travelled to Seattle as a guest of Microsoft.

Product Finder

Find more great products at