Citadel plitfi botnet report
At the end of February 2013 Polish Research and Academic Computer Network and CERT Polska took over 3 domains used by one of the Citadel botnets, known as “plitfi”. All the network traffic from these domains was directed to a sinkhole server controlled by CERT Polska. Today we publish a report outlining the details of the takedown and our findings. Some of the highlights from the report are presented below.
- This botnet was used to display fake messages, that were supposedly coming from the victim’s bank, requiring her to make a wire transfer.
- 11 730 different machines were connecting to the sinkhole server.
- Over 77% of all connections originated from Poland.
- Almost all of the connections were coming either from Europe or from Japan.
- Citadel bots were running on Microsoft Windows operating system starting from Windows XP up to Windows 7.
- The botnet used multiple proxy servers to hide real C&C servers.