February 8, 2012 By Dancho Danchev

Researchers spot Citadel, a ZeuS crimeware variant

Security researchers from “Tracking Cyber Crime” have spotted a new ZeuS crimeware variant, that’s based on the leaked ZeuS source code from last year.

Dubbed Citadel, the crimeware is positioned as a universal spyware system, whose modular nature allows cybercriminals to offer flexibly priced value-added services such as managed malware crypting, and managed web injects as a service.

Some of Citadel’s core features include:

We’re offering a great solution for creating and updating your botnet. We’re not trying to re-invent the wheel or come up with a revolutionary product. We have simply perfected the good old Zeus, making significant functionality improvements, adapting it to the survival conditions of today’s security landscape, and giving it a new name. Originally, we developed it for our own needs; during the development process, we also decided to create a “social circle” of support community, which is described later in this article.

Changes have been made both to the bot itself and to the web components.
We don’t sell “eye candy”. What you are paying for is the new functionality and coders’ motivation to support the product.

New features for the bot:

[+] Fixed VNC bug on Vista/Win7. Internet Explorer is now fully supported (there used to be a rendering problem in IE)

[+] Added support for Mozilla Firefox 7.0 (recent versions have had problems sending the reports; the problem is now fixed)

[+] Crypto-protection (the body is decrypted in memory)

[+] DNS-redirects (not through hosts). Any URL can now be blocked/redirected, undetectable by heuristics. For example, block AV servers or redirect bank pages to a different host.
!BONUS! The list of popular AV server URLs to clock is included.

[+] Software version is included in the report. The report will contain detailed information on the holder’s browser version. This can be used to imitate the holder’s settings.

[+] Extra layer of protection from trackers – Login Key.

[+] Authentication mechanism for config updates (no direct URLs). Adequate protection against established trackers.

[+] Grabber support for Google Chrome. (tested on latest versions 15.x/16.x)

[+] Inject support for Google Chrome. (tested on latest versions 15.x/16.x)

[+] Added function search caching, for faster hook setting in Chrome.

[+] Added feature: bot can run system CMD commands at startup (the CMDList section) and upload the report to server. For example, you can specify that upon installation your bot should upload the output of “ipconfig /all” or the list of all shared drives. This is a good feature to have when analyzing a company’s internal structure. (For example, you can often see bots with names like ACCOUNTANT_PC, POS_SERV, DATABASE…)

[+] Added mechanism to check the integrity of hooks in some Windows.

[+] Environment heuristic analyzer can use a stop-list to terminate undesirable software (significantly improves stealth), all popular AV products are included in the list.

[+] Small bugs have been fixed.

[+] Video grabber gives you a unique opportunity to see how your injects work “through the eyes of the holder”. Just specify the list of URLs and the recording time in seconds in the config file, and the bot will start recording video (in MKV format) as soon as the holder visits one of the URLs. Make sure your server can receive files of 10-60MB.

[+] Removed the “cookie clearing” feature, because it was messing up the machine’s fingerprint.

[+] Added support for HTTP 1.0 and extended headers (for example, the response doesn’t always look like “HTTP/1.1 200 OK”, sometimes it can be “HTTP/1.1 200 follow document”, where code 200 is followed by a couple of words), this is applicable to Firefox & Chrome

[+] Added gate generator (in case you want to place files on an intermediary host for redirect)

[+] All of Zeus’s basic functionality is included. I don’t think it needs to be listed here.

[+] Fully revamped, more user-friendly web-admin interface.

The additional modules available for purchase include, a Full-featured VNC control panel (Price: $495.00), a high-quality SOCKS checker module (Price: $49.00), executable files auto-encryption module (Price: $395.00) and a log parser module Price: $295.00. The executable files auto-encryption module works through a Jabber-based script that uses cron for encrypting received files. Compared to DIY (do-it-yourself) fashion malware crypting techniques, the service is relying on a limited set of malware cryptors, and many cybercriminals will definitely choose to avoid it, and stick to managed malware crypting services offering support for a variety of cryptors.

The moment when the source code of the most ubiquitous crimeware, ZeuS, leaked into the wild last year, changed pretty much everything. Open source malware is among the key driving forces of the growth in malware variants. From tutorials and how-to’s to easily modifiable source code, the rise of open source malware has clearly benefitted malicious cybercriminals in countless ways. F0r instance, malicious attackers would start coding their releases from scratch. Instead, they will use the leaked code as a foundation for their tools, borrowing a trick or two in the process.

Webroot’s security researchers will continue monitoring the threat landscape for for new, and emerging threats, proactively responding to both of them.

You can find more about Dancho Danchev at his LinkedIn Profile. You can also follow him on  Twitter.

Share Button
true