CITADEL TROJAN OUTGROWING ITS ZEUS ORIGINS May 2012 As of April 30th, 2012 the Citadel Trojan was at its fourth upgrade with Version 1.3.4.0 already in the hands of its customers. Citadel s features, bug fixes and added modules (each priced separately), have long gone beyond what Zeus ever offered as Slavik s zeal for developing the malware died down when law enforcement got too close for the Trojan creator s comfort. It is already very clear that Citadel is the new Zeus in more ways than one: it was based on the Zeus code and it has all the functions going way beyond any crimeware kit to date. More importantly, it is the only commercial malware in the cybercrime arena being aggressively marketed to criminals at this time, and quite logically, Citadel is slowly but surely converting Zeus operators and bringing them over to its ranks, further eroding Zeus market-share. Putting one s self in the shoes of a cybercriminal who has just decided to begin botherding, what would the first thing on the to-do list be? How about seeking-out a crime kit that will provide technical set-up, support, CRM, updates and in-depth understanding of cybercrime? It has to be commercially available check; and its developers have to be serious and responsive check as well. In a Jeopardy game, the obvious reply would be What is Citadel? CITADEL WHAT REALLY CHANGED SINCE ZEUS V2? RSA researchers have been analyzing variants of the Citadel Trojan and setting apart the hype from factual changes made to Citadel that were written differently in its base code, Zeus v2.0.8.9. FRAUD REPORT
The following functions are the main changes observed to date: Feature Added Trojan s encryption method Local Pharming More functions hooks The C&C server side Basic Detail Citadel uses a more sophisticated encryption method to have its bots communicate with the C&C servers, including hardcoded key, RC4 and AES 1 combined Citadel hooks local DNS-related Windows functions and can be configured to redirect any host IP, thus enabling the fraudster to both create more reliable phishing attacks and isolate victim machines from AV services With its hooking variety, Citadel covers a much larger array of Windows functions than Zeus ever did The Citadel botnet has been patched against common attack methods that plagued Zeus The Citadel Encryption Method Going back to how the communication was programmed to happen between Zeus v2 variants and their C&C servers researchers recall it was encrypted with a symmetric encryption algorithm: RC4, with a pre-shared key defined by the builder. Some variants of Zeus were seen using AES encryption instead of RC4, which is stronger, and still used with a predefined key. Citadel combined those two encryption methods, and topped them with an additional layer: Every Citadel variant has a hardcoded MD5 string (probably a hash of the password set by the builder) in addition to the RC4 key. In runtime, the MD5 string is run through MD5 function a second time The result (the new MD5) is then encrypted using RC4 with the stored key That final result is used in the creation of an AES encryption/decryption key using AES schedule routines The Trojan s communication is then encrypted using AES encryption. This three-fold effort provides botmasters with strong encryption out of the box even if they were to choose a weak password, it would practically be impossible to brute-force or break into their bots communications. Local Pharming: Citadel s Custom DNS Redirection Right from its first release, Citadel introduced this new option to botmasters, designed to allow them to change the behavior of name resolution on infected machines. Bottom line, this means that the botmaster can decide which URLs the victim can or cannot reach, and what page the victim will land on instead of the original page they were looking for. This particular redirection scheme occurs by installing hooks on two DNS related functions: 1. 1. gethostbyname 2. 2. getaddrinfo In order to implement this functionality, a new block was added to the config file, containing names and IP pairs. Whenever an infected process[2] tries to resolve a hostname to an IP address, the request will first pass through Citadel s routines. The Trojan will then try to resolve the address using regular mechanisms; if successful, it will check its own configuration for a name/ip pair match. If such a match is found the Trojan will return the pre-defined (fraudulent) address to the caller. page 2
It s worth mentioning that if the regular DNS request fails (domain does not exist, network timeout etc.) Citadel will return the original error message to the caller, even if a matching address is found in its botmaster s config. This behavior makes the redirection appear less suspicious in aspects of network monitoring and typical request/answer times. The local pharming functionality allows botnet operators to leverage two main attack vectors: Isolation of the infected machine, blocking its access to certain unwanted services, including AV providers, web-based malware scans, security providers web sites, abuse lists and malware update servers. The second attack vector that can be facilitated greatly by local pharming is the deployment of sophisticated phishing attacks, redirecting Trojan-infected victims to fraudulent servers when they attempt to reach a legitimate URL via their browser. Citadel s C&C Server-Side Improvements and Security Patches The Citadel Trojan used the well known Zeus server panel and patched it against webbased attacks. Another minor change is in the panel s visual design, making it appear more professional for the users and affording added control over infected bots. Many of Citadel s functions and options are embedded into the panel ad-hoc as the team sees fit. THE COST OF CYBERCRIME WITH CITADEL What can a cyber crook expect to pay for this next generation crimeware kit? The following table represents the selling price today for Citadel and its respective technical set-up, support, updates and other various features: Feature Overview Cost Citadel VNCF ox 2012 Citadel SOCKS Checker CBOT EXE Auto-Encryption Plugin Log Parser Plugin CardSwipe module Automatic iframer of FTP accounts from logs GeoIP-filter Duplicate-Cleaner The Citadel CRM Membership Connect infected machines via remote adminstration tool (VNC) Allows access and proxy traffic through bots located on different botnets Uses web browsing to check the target bot s match, up to 99.9% accuracy Automates the encryption task for new variants created Adds filtering options to the immense amounts of stolen incoming data Picks out card numbers from outgoing web traffic Steals FTP account credentials from bots and feeds them into iframes that facilitate traffic to the botnet s infection points Provides protection against tracking and unwanted attention by filtering out complete country IP ranges Complete removal of all incoming duplicate records from logs working non-stop Community, support, business partners, advertising, forum $495 USD / 375 $49 / 37 $295 USD / 300 + pay per encryption at $15 / 11.50 $295 / 225 $250 / 190 $1000 / 755 $ 380 / 290 $90 / 70 Monthly fee $125 / 95 from each user page 3
WHAT DOES CITADEL S FUTURE HOLD? The team developing Citadel appears to be taking the project very seriously and seems to be working tirelessly on patching clunky Zeus mechanisms and adding new ones, making the Trojan increasingly modular and adapted to cybercrime endeavors. The Citadel Trojan is being aggressively marketed within the fraud underground and will be a crimeware kit to be reckoned with in 2012. From March to April, RSA saw a 20 percent increase in the use of Citadel in the Trojan attacks we analyzed. RSA is conducting research into the Citadel Trojan on an ongoing basis and will continue to report on new findings as they become available. page 4
Phishing Attacks per Month In April, there was an 86 percent increase in the total number of global phishing attacks with a total of 35,558 unique phishing attacks identified by RSA. 40000 35000 30000 25000 20000 15000 10000 5000 0 23097 17376 May 11 Apr 11 25191 22516 Jul 11 Jun 11 38970 26907 Sept 11 Aug 11 29974 28365 24019 21119 21030 Feb 12 Jan 12 Dec 11 Nov 11 Oct 11 19141 Mar 12 35558 Apr 12 Source: RSA Anti-Fraud Command Center Number of Brands Attacked The number of brands targeted through April dropped five percent from March, standing at a total of 288 brands targeted by phishing attacks. 400 350 300 250 200 150 100 50 0 301 Apr 11 376 May 11 349 Jun 11 321 Jul 11 351 Aug 11 300 298 Sept 11 Oct 11 313 Nov 11 256 Dec 11 281 281 Jan 12 Feb 12 303 Mar 12 288 Apr 12 Source: RSA Anti-Fraud Command Center page 5
US Bank Types Attacked U.S. nationwide brands saw a 24 percent increase in phishing attacks in April. Regional banks accounted for a considerably lower portion of targeted brands, dropping from 30 percent in March to 11 percent in April. 100 80 60 40 20 0 15% 12% 11% 10% 19% 6% 14% 9% 6% 19% 3% 12% 7% 22% 12% 20% 23% 20% 25% 12% 16% 13% 9% 21% 30% 63% 76% 69% 67% 61% 69% 74% 75% 86% 68% 76% 58% 82% 11% Source: RSA Anti-Fraud Command Center Apr 12 Mar 12 Feb 12 Jan 12 Dec 11 Nov 11 Oct 11 Sept 11 Aug 11 Jul 11 Jun 11 May 11 Apr 11 a Australia South Korea Colombia 1.5% Canada China Brazil 1% Germany UK 45 Other Countries 6% Top Countries by Attack Volume In April, only five countries endured more than one percent of phishing attack volume with over 90 percent of the entire volume targeted at the UK, Canada and the U.S. U.S. 22% United Kingdom 42% Canada 28% page 6
New Zealand 2% a US S Africa Colombia 2% France 3% China South Africa 2% Italy Canada Germany 2% Netherlands India Bras Top Countries by Attacked Brands Brands in the U.S., UK, Australia and India were targeted by almost 50 percent of phishing attacks in April, followed by Canada, Brazil and Italy. China 3% Brazil 4% Italy 4% Canada 4% U.S. 27% India 5% Australia 5% United Kingdom 11% 37 Other Countries 26% Spain 2% Italy 1% a US S Africa China Japan 2% Italy Vietnam 1% Canada Netherlands India Bra Canada 2% Top Hosting Countries In April, 55 percent of phishing attacks were hosted in the U.S., followed by Brazil which hosted 13 percent marking a five percent increase from March. France 2% Germany 2% Australia 3% United Kingdom 4% U.S. 55% Brazil 13% 60 Other Countries 13% page 7
CONTACT US To learn more about how RSA products, services, and solutions help solve your business and IT challenges contact your local representative or authorized reseller or visit us at www.emc.com/rsa www.emc.com/rsa 2012 EMC Corporation. EMC, RSA, the RSA logo, and FraudAction are trademarks or registered trademarks of EMC Corporation in the U.S. and/or other countries. All other trademarks mentioned are the property of their respective holders. MAY RPT 0512