Botnet Genius Stole $500 Million|in Global Scam, Microsoft Says

Microsoft claims the first Citadel botnet code emerged in January 2012. Since then it has evolved several times as developers added features to fend off attempts to analyze and disable the botnet.

"John Doe 1 provides a high degree of after-sales service to the other defendants. Using a customer relationship management tool called 'Citadel CRM,' which is provided over the Internet by John Doe 1, John Does 2 through 82 communicate with John Doe 1 and with each other regarding updates to Citadel code, support with technical problems and best practices in deploying, running and defending their Citadel botnets. Using Citadel CRM, the other defendants can report problems, propose and suggest and vote on new features, and exchange ideas and best practices with other Citadel botnet operators. Using Citadel CRM, John Doe 1 solicits or proposes new feature ideas for Citadel and John Does 2 through 82 can vote on which feature or features they would like John Doe 1 to implement, and can offer whatever price they would pay John Doe 1 to induce him to do the work. John Does 1 through 82 actively collaborate, day to day, on the development and operation of Citadel," Microsoft says in the complaint.

By way of example, Microsoft claims that John Doe 1 proposed giving the Citadel bots their own antivirus capabilities - by cleaning off competing malware, to avoid detection and deletion - and asked the other defendants to vote on the idea and offer a price for the work.

Microsoft says Doe 1 responds quickly to problems with Citadel.

"John Doe 1 has been swift to add new features and fix bugs and has released multiple versions on a fast schedule to provide the Citadel botnet operators with the latest updates. The fast pace of updates demonstrates the intensity and the amount of work being done to make Citadel a robust instrument for cybercrime, and the level of cooperation between the Citadel developers and their customers. In the first six months that Citadel was available, John Doe 1 released five versions of the build kit," Microsoft says in the complaint.

Microsoft says its injuries occurred when the defendants built the Citadel bot for the Windows XP system by using a counterfeit product key.

"Upon information and belief, defendants have conspired to and have knowingly and with intent to defraud used a counterfeit access device in the form of a Windows XP product key to install and activate an unauthorized copy of Windows XP in order to produce the necessary Citadel botnet software operated by defendants," the complaint states.

"Defendants have used the counterfeit access code to install and activate numerous unauthorized copies of Windows XP in order to establish a common programmatic environment so that other defendants can craft and compile the necessary Citadel botnet software for use in the Citadel botnet, and in furtherance of their common financial goal of obtaining unauthorized access.

"Defendants have conspired to and have knowingly and with intent to defraud trafficked in thousands of unauthorized access devices in the form of stolen passwords, bank account numbers and other account login credentials through the Citadel botnets created and operated by defendants.

"Defendants have used the Citadel botnets to steal, intercept and obtain this access device information from tens of thousands of individuals using falsified web pages, and have then used these fraudulently obtained unauthorized access devices to steal millions of dollars from individuals' accounts."

To do this, Citadel creators built a two-tier structure. The infection tier consists of 2 million to 5 million infected end-user computers under the control of a Citadel bot, dedicated to steal users' financial and personal information.

The command and control tier consists of specialized computers running specialized software. Using servers purchased or leased by the defendants, the computers in this tier control the infected computers, sending and receiving information throughout the Citadel botnet.

"The Citadel-infected end user computers - the bots - are caused by the Citadel malware running on them to periodically connect over the Internet to one or more command and control servers, approximately every 20 minutes. The bots download updates and instructions from, and upload information to, these servers. By updating the instructions placed on the command and control servers, Citadel botnet operators are able to communicate with and control the Citadel-infected end user computers. Servers in the command and control tier include the servers at the domain names and IP addresses [identified by Microsoft]," according to the complaint.

Microsoft says its injuries stem from John Doe 1's scheme of building Citadel on the company's Windows XP platform.

"John Doe 1 urges his customers to build the bot code on computers running Windows XP. This ensures that all Citadel bots are built in a common environment, making it easier for John Doe 1 to test the Citadel build kits. In order to provide his botnet customers with access to Windows XP without having to pay Microsoft for it, John Doe 1 provides a stolen version of Windows XP as well as a stolen product key," Microsoft says in the complaint.

It cites a section taken from a Citadel build kit manual that includes a link to the corporate edition of Windows XP and "a stolen product key for that copy."

Microsoft claims that Citadel abuses the Microsoft trade name to entice end users to download its malware. The defendants send spam emails disguised as legitimate email from Microsoft, financial institutions and other organizations, with links that install the malicious Citadel software, Microsoft says in the complaint.

"Once an end user connects to the website where the Citadel downloader is staged, a highly specialized piece of software also staged on that website known as an 'exploit pack' probes the user's computer for vulnerabilities such as might be found in an out-of-date, unpatched operating system. If a vulnerability is found, the exploit pack will download the Trojan onto the end user's computer. This will result in the installation of the Citadel bot on the end user's computer. From that point forward, the end user's computer and the Microsoft Windows operating system running on the computer are secretly controlled by the operator of the Citadel botnet. The software and computer are used to carry out malicious activity," according to the complaint.

It continues: "After it is installed, a Citadel bot is programmed to contact one to five command and control computers on the internet. These are referred to as the 'base domains' because they are the first domains that a Citadel bot will attempt to contact, and they are included in the original bot executable generated by the Citadel builder kit. By studying many thousands of Citadel bots, Microsoft has developed a list of these base domains.

"When a Citadel bot establishes contact with one of these base domains, the bot will download an encrypted configuration file from it. Citadel configuration files contain various types of information which will control the operation of the bot on the end user's computer. By changing the configuration files, the operators of Citadel can control the operation of the infected end user computers."

Citadel's config files contain all the information the bot needs to steal money, Microsoft says - including a list of targeted financial institutions. The Citadel bot monitors all Internet connections made by the infected user, waiting for the user to connect to one of the banks on the list.

Microsoft says dozens of financial institutions have been targeted by Citadel worldwide, but most of the thefts are aimed at U.S.-based banks. Microsoft claims that configuration files show that Charlotte-based Bank of America had been hit by Citadel 5,729 times.

Wells Fargo, Chase, Citibank, American Express and U.S. Bank also top the list of U.S.-based institutions targeted by Citadel, Microsoft says.

Citadel is a moving target, since command and control servers are changed every six to eight weeks and replaced with new servers. The Citadel configuration file also contains information to keep from attacking users and banks in Russia and the Ukraine.

"It is commonly believed that the creators of Citadel include this information to keep Citadel botnets from being active in the countries in which they operate, so as to avoid provoking law enforcement action against themselves," Microsoft says in the complaint.

Citadel can deploy new config files almost instantaneously in the event of an attack on the botnet infrastructure, since the bots check in with the command and control servers every 20 minutes. The bots keep infected computers from accessing websites associated with anti-virus software, Microsoft says.

"If a user attempts to connect to a website from which to download antivirus software, Citadel will block that. When the Citadel bot detects an attempt to connect to an antivirus website, it will hijack and redirect the user's browser. This keeps any antivirus software on the user's computer from receiving updates, and it prevents victims from being able to visit antivirus or other security sites to download removal tools and obtain mitigation advice," Microsoft says in the complaint.

Meanwhile, the Citadel bot sets out to do what it was created to do: steal money from infected users. When it detects that a user is accessing a financial institution website, Microsoft says, the bot might log keystrokes to get passwords or capture screenshots or take video of the user's account pages - all of which is uploaded to the botnet operator, who then raids the user's account.

Other Citadel ploys are even more nefarious.

"In a variation of the basic attack, the Citadel bot running on the infected end user computer can use a technique called a 'web inject' to extract more sensitive information from the user. In a web inject attack, the Citadel bot alters the appearance of the web page of the financial institution as it is displayed in the end user's browser. In essence, the Citadel bot takes control of the user's browser, and instead of allowing the browser to provide an accurate rendering of the website to which the user has connected, it causes the browser to change what the user sees. It does this by 'injecting' additional code into the website code that the browser is rendering in a displayable format for the user. For example, if the real website asks only for a login ID and password, the bot can extend it through a web inject attack and ask for additional information such as Social Security number, birth date, mother's maiden name and other such information typically used to answer security questions. Citadel is capable of exploiting various browsers in this manner, including Microsoft Internet Explorer, Google Chrome and Mozilla Firefox," the complaint states.

Citadel's attacks can be complex enough to hijack an infected user's browser and display a completely fake version of the bank's website.

"To do this, it first hijacks the user's browser to keep it from connecting to the real website of the financial institution. It then contacts a command and control server and downloads a template for the website of the financial institution and displays that to the user, or connects the user to a fake website. The user, believing he is connected to the real website of the financial institution, proceeds as normal. However, while the user types in his real account access information such as login ID and password into the fake website, the botnet operator can access his accounts on the real website. Altered account information from the real website can be reflected back to the user looking at the false website so as to maintain the ruse until the theft is complete. To complete the theft, the botnet operator can alter the transactions performed on the real website by, for example, changing withdrawal amounts and changing information related to where the money is to be sent. The botnet operators repeatedly misuse the trademarks of financial institutions on these fake online banking websites in order to confuse and mislead victims. This makes it nearly impossible for users to detect the attacks," Microsoft says in its complaint.

Botnet operators use Citadel to remotely access and operate victims' computers, connecting to their bank accounts and, using the information gleaned from the victims, empty them.

"The malicious software is specifically designed to allow defendants to conduct this malicious activity without revealing any evidence of the fraud to the end user, Microsoft, the financial institutions or other victim websites until it is too late for the user or owners of these websites to regain control over funds or stolen information. For example, to avoid alerting the end user to the activity being conducted remotely via his own computer, the Citadel bot has a command to turn off any sounds (e.g., beeps or clicks) that the end user's computer might otherwise make while being operated remotely," the complaint states.

Computers infected with the Citadel bot are more susceptible to other malware infections. Some versions of Citadel enlist infected computers in a mass attack on other websites, known as a distributed denial of service (DDoS) attack.

"In a DDoS attack, thousands of infected end user computers connected to the Internet are marshaled by the botnet operator to simultaneously and continuously attempt to connect to the targeted website. This will make it impossible for legitimate customers to connect to the website, and such attacks are frequently used to extort money from businesses or to exact revenge. Citadel botnet operators also time DDoS attacks on financial institutions to divert the attention of the bank away from a theft that is occurring or has occurred," Microsoft says in the complaint.

Citadel damages Microsoft's and its customers' computers and software. The malware makes changes at the deepest levels of the operating system, disabling the Windows firewall, removing Microsoft Security Essentials and rewriting the Windows registry.

"Once infected, altered and controlled by Citadel, the Windows operating system and Internet Explorer browser cease to operate normally and are now tools of deception and theft aimed at the owner of the infected computer. Yet they still bear the Microsoft Windows and Internet Explorer trademarks. This is obviously meant to and does mislead Microsoft's customers and it causes extreme damage to Microsoft's brands and trademarks. Customers are usually unaware of the fact that their computers are infected and have become part of the Citadel botnet. Even if aware of the infection, they often lack the technical resources or skills to resolve the problem, allowing their computers to be misused indefinitely. Even with professional assistance, cleaning an infected end user's computer can be exceedingly difficult, time consuming and frustrating," Microsoft says in the complaint.

Although Microsoft called last week's operation with the FBI its "most aggressive botnet operation to date," it says it wasn't able to shut down Citadel - which it estimates has hit 5 million people in more than 90 countries.

"However, we do expect that this action will significantly disrupt Citadel's operation, helping quickly release victims from the threat and making it riskier and more costly for the cybercriminals to continue doing business," Richard Domingues Boscovich, assistant general counsel in Microsoft Digital Crimes Unit, wrote in a blog post .

Boscovich said that Windows Vista, Windows 7 and Windows 8 have measures in place to protect against use of fraudulent product keys created by cybercriminals' key generators.

Microsoft wants the Doe defendants enjoined from further deployment of the Citadel bots, isolation and security of the botnet infrastructure, damages and an order disgorging the defendants' profits.

Microsoft is represented by Neil T. Bloomfield with Moore & Van Allen, of Charlotte, N.C.

Subscribe to Closing Arguments

Sign up for new weekly newsletter Closing Arguments to get the latest about ongoing trials, major litigation and hot cases and rulings in courthouses around the U.S. and the world.

Email *

Submit