Citadel plitfi botnet report

Date of publication: 15/04/2013, CERT Polska

At the end of February 2013 Polish Research and Academic Computer Network and CERT Polska took over 3 domains used by one of the Citadel botnets, known as “plitfi”. All the network traffic from these domains was directed to a sinkhole server controlled by CERT Polska. Today we publish a report outlining the details of the takedown and our findings.

Some of the highlights from the report are presented below.

    • This botnet was used to display fake messages, that were supposedly coming from the victim’s bank, requiring her to make a wire transfer.
    • 11 730 different machines were connecting to the sinkhole server.
    • Over 77% of all connections originated from Poland.
    • Almost all of the connections were coming either from Europe or from Japan.
    • Citadel bots were running on Microsoft Windows operating system starting from Windows XP up to Windows 7.
    • The botnet used multiple proxy servers to hide real C&C servers.

Full text of the report can be found here or under the “Reports” tab.