Citadel plitfi botnet report

At the end of February 2013 Polish Research and Academic Computer Network and CERT Polska took over 3 domains used by one of the Citadel botnets, known as “plitfi”. All the network traffic from these domains was directed to a sinkhole server controlled by CERT Polska. Today we publish a report outlining the details of the takedown and our findings. Some of the highlights from the report are presented below.

  • This botnet was used to display fake messages, that were supposedly coming from the victim’s bank, requiring her to make a wire transfer.
  • 11 730 different machines were connecting to the sinkhole server.
  • Over 77% of all connections originated from Poland.
  • Almost all of the connections were coming either from Europe or from Japan.
  • Citadel bots were running on Microsoft Windows operating system starting from Windows XP up to Windows 7.
  • The botnet used multiple proxy servers to hide real C&C servers.

Full text of the report can be found here or under the “Reports” tab.

Tags: , , , , , , , ,

Comments are closed.