Skip to main content

Citadel botnet takedown (b54 operation) enters phase 2

Release Date: 20 Jun 2013 4890 Views

On June 6, 2013, HKCERT informed the public (see HKCERT joins with Microsoft and law enforcement to disrupt the Citadel botnet) that we had joined an international collaborative action, codenamed Operation b54 and initiated by Microsoft and US law enforcement, to take down the Citadel family of botnets that are responsible for stealing online banking information and personal credentials for fraudulent purposes.

 

We would like to update the progress of this operation.

 

Phase 1 -- Citadel Command and Control Centre Take Down

The phase 1 of the operation was to take down the Citadel command and control centres around the world. HKCERT had analyzed that the IP addresses of two botnet command and control centres in Hong Kong. We had passed the results of our analysis to the Hong Kong Police to follow up. As the case is now under investigation, we cannot reveal further information.

 

Phase 2 -- Citadel Bots Clean Up

On June 19, 2013, we have entered the second phase of the operation which is to identify and clean up the bots. In phase 1, Microsoft has set up some sinkholes (servers to mimic the botnet command and control centres) to collect the IP addresses of the bots attempting to connect to them. These IP addresses are then being passed to the economies which host them.

 

HKCERT has received the first batch of IP addresses of suspected Citadel bots (compromised computers) in Hong Kong - 460 in total. We are now contacting the owners of these computers or their Internet service providers. We will provide them with step-by-step instructions to check and clean up their computers.

 

If you receive a Citadel Bots Clean Up message from HKCERT, please donate your help to keep the Internet clean. If you have any query please do not hesitate to contact us via hotline (81056060) or email ([email protected]).

 

To check if your computer is infected by Citadel malware, please refer to the following article:

How to detect and remove Citadel Malware
/my_url/en/blog/13060702

 

Operation b54 is a collaborative effort of financial institution, technology companies, Internet service providers, law enforcement and computer emergency response teams (CERTs) around the world. The mission is to paralyze the infrastructure of Citadel command and control centres, to locate the infected computers and help them to rid of the malware.