Shadowserver is a non-profit organization like abuse.ch, informs the associated network owners about the infections reported by my sinkhole, in addition to infections reported by their own sinkholes and sinkholes run by other operators.
Every Computer Emergency Response Team (CERT), Internet Service Provider (ISP) and network owner can get a feed from Shadowserver for their country / network for free. Shadowserver notifies more than 1,500 organizations and 60 national Computer Emergency Response Team (CERT) about infected computers within their responsibility. ( as reported by abuse.ch news)
The recent industry news of Microsoft Digital Crimes Unit (DCU) taking down Citadel botnet Operation b54 sounded exciting for most Security folks. But it has created a uneasiness, intact angry amount a lot of Security researchers across the globe. As per DCU , they disturbed over 1400 Citadel botnets around the world by seizing more than 4000 domain names and pointing them to a server operated by Microsoft. In fact this is “sinkholing”.
Sink-holing is used industry wide for research reasons. This is a way to collect intelligence and analyze infected systems to understand the bad behavior. Most of them receive a lot of intelligence from abuse.ch research possibly from sinkhole.
ABUSE.CH wrote :
“Today, I’ve suddenly noticed that several domain names disappeared from my sinkhole. I started to investigate and noticed these are now all pointing to a server in Microsoft’s network range (199.2.137.0/24). It was quite obvious to me what had happened. Microsoft seized not only malicious domain names operated by cybercriminals to control computers infected with Citadel, but also Citadel botnet domain names that had already been sinkholed by abuse.ch awhile ago (I want to outline here that my sinkhole is appropriately tagged and clearly shows that it is actually a sinkhole of abuse.ch). I pulled down the list of Citadel domains that Microsoft seized and checked it against my sinkhole’s domain list. I was quite surprised about the result: Microsoft seized more than 300 domain names that where sinkholed by abuse.ch. I was not only surprised but also quite disappointed: Microsoft already showed similar behaviour in their operation against ZeuS last year were they seized thousands of ZeuS botnet domains, including several hundred domain names that were already sinkholed by abuse.ch. Due to this, I’ve set up a (non-public) Sinkhole Registry for LEA and security organisations to avoid similar situations in the future. I had hoped that Microsoft had learned their lesson, but apparently nothing has changed and my efforts didn’t change anything.”
Today, I’ve talked to several other sinkhole operators asking them about their experience with Microsoft. All of them confirmed to me that several dozens and for some operators even hundreds of Citadel domain names they had sinkholed have been seized by Microsoft as well. Calculating the numbers together, I can say that nearly 1’000 domain names out of the ~4’000 domain names seized by Microsoft had already been sinkholed by security researchers. In fact these ~1k domain names did no longer present a threat to internet users, but were actually used to help to make the internet a better place.
Unfortunately, this is just the tip of the iceberg. When checking out Microsoft’s sinkhole, I noticed that they are actively sending out valid Citadel configuration files to the connecting bots. A sample configuration file served by Microsoft’s sinkholes looks like this ”
Apparently Microsoft has been careless about this operation which has created a negative impact amountg Security researchers. The real value of this botnet disruption is still questionable. Either it can be a media hype or a small amount of disruption has taken place. Probably the analysts working behind such operations may not be experienced enough to understand how does this kind of operation negatively impact globally. Microsoft fails once again with negligence.
The entire article with details can be found here
