Microsofts botnet take down criticised

We reported about Microsofts take down of 1462 botnets a few days ago. However, it has been questioned regarding collateral damage caused by the take down as well as for its effectiveness. A Swiss security researcher, abuse.ch, reported that, of the domains neutralized by Microsoft, an estimated 25% were sinkholes operated by security researchers. Sophos also states that, according to a snapshot of 72 Citadel C&C servers, over 50% were not listed by Microsoft for take down, 29% were listed and sinkholed, while 20% were left apparently untouched despite being listed.

A sinkhole is a technique where a command-and-control domain for a botnet is redirected to a server under the control of a security researcher. They can then measure traffic and activity of its associated botnets. Microsoft sinkholed those domains it collated and redirected them to its servers. This appears to have included not only domains already sinkholed by abuse.ch but also ones belonging to other security researchers. The bots connecting to Microsoft's sinkhole appear to be receiving valid configuration files which remove the blocking of anti-virus domains allowing the systems to update their AV and, hopefully, remove the botnet from them.

The abuse.ch researcher believes that this move by Microsoft will only lead to the cyber-criminals behind the botnets to come back with more effective defenses for their botnets. In the meantime, the Shadowserver Foundation, to whom the abuse.ch researcher's data was passed, will be unable to report on "several thousand Citadel infected computers".