Microsoft has said that it has “liberated” two million PCs worldwide from Citadel botnets after an action on June 5 which targeted 1,400 networks around the world. Citadel botnets had stolen $500 million from bank accounts in 90 countries around the world by installing keylogger software on millions of machines.
"We have liberated at least 2 million PCs globally. That is a conservative estimate," said Richard Domingues Boscovich, assistant general counsel with Microsoft's Digital Crimes Unit. Boscovich said that while the action had not eliminated all the Citadel botnets around the world, "We feel confident that we really got most of the ones that we were after. It was a very, very successful disruptive action."
Microsoft’s Digital Crimes Unit is still working to determine how many botnets are still operational, according to a report by Reuters.
Boscovich said that most of the infected machines were in the United States, Europe and Hong Kong. Microsoft said that the malware spread along with pirated versions of Windows. Police forces including the FBI and Europol are still investigating.
Boscovich said in an earlier interview that a suspected ringleader known as “Aquabox” is still at large, and is suspected to be from Eastern Europe. Aquabox is suspected to have led a team of at least 80 "bot herders" who controlled the networks.
Infected machines had been blocked from visiting many legitimate antivirus/anti-malware sites, meaning that the infection was hard to remove.
The action involved law enforcement worldwide. Working with banking organisations in the U.S., Microsoft filed a civil suit against the operators of the Citadel botnet. On June 5, the company received authorization from the U.S. District Court for the Western District of North Carolina to cut off communication between 1,462 networks and millions of infected machines.