Microsoft borks botnet takedown in Citadel snafu
Stupid Redmond kicked over our honeypots, wail white hats
Security researchers are complaining about collateral damage from the latest botnet take-down efforts by Microsoft and its partners.
The Windows 8 giant worked with financial service organisations, other technology firms and the Federal Bureau of Investigation to disrupt more than a thousand botnets.
However, this time round Redmond appears to have stepped on the toes of security researchers, killing off honeypot systems monitoring the activities of cybercrooks as well as decapitating systems linked to ongoing fraud.
Microsoft seized more than 4,000 domain names and pointed them to a server operated by them, a technique known as “sinkholing”. The technique isn't new and has been previously applied in attempts to seize control of the infamous Conficker botnet, for example.
Redmond and its partners allegedly erred by seizing more than 300 Citadel domains that were sinkholed by abuse.ch (home of the Swiss Security Blog), as well as many hundreds of similar domains controlled by other security researchers, critics complain.
When you're an 800 pound gorilla you do what you want, and bugger anyone who gets in your way!Something similar happened with a ZeuS takedown operation by Microsoft last year, when thousands of ZeuS botnet domains were seized, including several hundred domain names that were already sinkholed by abuse.ch. Previously Redmond had the reasonable excuse that there was no easy way to distinguish between domains run by crooks and domains run by security researchers.
However, the latest action comes after abuse.ch set up a (non-public) Sinkhole Registry for law enforcement and security organisations to avoid similar mixups.
"I had hoped that Microsoft had learned their lesson, but apparently nothing has changed and my efforts didn’t change anything," the unnamed researcher at abuse.ch laments.