A few weeks ago, Brian Krebs reported on Citadel, a new variant of the Zeus Trojan.
Citadel creators decided to provide this new variant in a Software-as-a-Service (SaaS) model, which seems to be a rising trend in the cybercrime ecosystem.
The developers did not stop there. They created a social network that enables the customers of Citadel (other cybercriminals) to suggest new features and modules to the malware, report bugs and other errors in the system, comment and discuss related issues with fellow customers. This CRM (Customer Relationship Management) platform has explosive potential, as it harnesses the accumulative knowledge and resources of its cyber community.
Based on the fact that the Zeus source-code went public in 2011, the Citadel community indeed became active, and started contributing new modules and features. This recent development may be an indication of a trend in malware evolution - an open-source malware.
We have previously discussed trends in malware evolution, where the sophistication level is continuously rising, especially on the server side, as malware kits have become the mainstream among cybercriminals.
Each version added new modules and features, some of which were submitted by the Citadel customers themselves, including:
- AES Encryption – The customer can decide whether to encrypt the malware configuration file and communication with the C&C server, with RC4 encryption (used by old Zeus versions) or AES encryption.
- Avoiding Trackers Detection – Zeus tracking websites (e.g. Zeus Tracker, Malware URL, etc.) help in shutting down Zeus botnets by reporting on new Zeus C&C servers. Citadel now requires a specific botnet key in order to download malware updates and configuration files, in a hope to not be detected by those trackers.
- Security vendors websites blacklist – Machines infected with Citadel cannot access websites of information security vendors. This blocks the option to download new security products, or get updates from currently installed products (e.g. Anti-Virus updates).
- Trigger-based Video Recording – Record videos (using MKV codec) of the infected machine activity, in case the victim visits a specific website. A customer can decide whether to receive a malware builder with or without this module, mainly because this feature requires a lot of space on the malware C&C server.
Check out the full details at the Seculert blog...