The botnets in this case are plural, because while the software running the malware and command-and-control servers is functionally the same, Microsoft claims there are at least 81 different “herders” in charge of different networks of Citadel software. The software itself is developed and maintained by a third party known only as “Aquabox.”
Microsoft estimates that since the Citadel software surfaced in 2012, it has caused over $500 million in losses, and has affected “upwards of five million people,” according to a press release.
The Citadel malware is fairly sophisticated. According to Microsoft, its core functionality is similar to that of a traditional keylogger, tracking keystrokes when someone uses an infected computer. However, Microsoft additionally found that Citadel blocked victims access to many legitimate anti-virus/anti-malware sites, making it so people may not have been able to easily remove this threat from their computer, according to a blog post by Richard Domingues Boscovich, the Assistant General Counsel for Microsoft’s DCU.
This is the DCU’s 8th operation, and its first time working with the FBI.
The operation didn’t completely knock out Citadel, but Microsoft says this is an important first step to taking down the entire network.
“The bad guys will feel the punch in the gut,” Bosovich told Reuters.
In addition, Microsoft has sent out relevant information to cybersecurity teams worldwide in order to help them sweep up the remainder of the servers, and is working with Europol to seek out Aquabox and the herders behind Citadel.
Previously on GeekWire: Protecting the people: Microsoft helps crush Bamital malware that affected thousands