In old times, a citadel was a fortress used as the last
line of defense. For cyber criminals it is a powerful and
state-of-the-art toolkit to both distribute malware and manage infected
computers (bots). Citadel is an offspring of the (too) popular Zeus
crimekit whose main goal is to steal banking credentials by capturing
keystrokes and taking screenshots/videos of victims’ computers. Citadel
came out circa January 2012 in the online forums and quickly became a
popular choice for criminals. A version of Citadel (1.3.4.5) was leaked
in late October and although it is not the latest (1.3.5.1), it gives us
a good insight into what tools the bad guys are using to make money.
In this post, I will show you how criminals operate a botnet. This is not meant as a tutorial and I do want to stress that running a botnet is illegal and could send you to jail.
A nice home
In order to get into business the bad guys need a server that is hosted at a company that will turn a blind eye on their activities and also guarantee them some anonymity. Such companies are called Bulletproof hosting and can be found in most underground forums (Figure 1).
A shiny new toy
Once set up with a server, it is time to install what will be the mastermind program to create and organize an entire array (botnet) of infected computers worldwide. A variety of crimekits exist but in this post we will concentrate on Citadel.
Once again, the core installation files can be found in the underground community or through your own connections. Recently, the Citadel kit was withdrawn from forums to prevent too much exposure and attention. It costs around $3000 USD.
Infected PCs all report to the mothership and wait for orders. This is where it gets interesting because making malware is one thing but actually managing your own campaigns is the key to success. The Citadel control panel is well designed and puts a lot of features at your fingertips (Figure 8).
It is the ultimate phishing tool because it does not go against any known proper precautions a user would normally take. For instance, the site’s URL is unchanged and shows the secure pad lock with the financial institution’s SSL certificate (Figure 12). This type of hack is also called a man-in-the-middle attack.
The FBI has posted an article regarding this scam (http://www.fbi.gov/news/stories/2012/august/new-internet-scam) and urges people to not pay any money as it could get you into even more troubles.
Malwarebytes users are protected against the FBI Moneypak malware. If you aren’t one of them and are already infected you can remove this ransomware by following these 3 steps:
The latest version (1.3.5.1) whose code name is Rain Edition is getting pricey at $3931 but it includes a lot of valuable features (advanced support for Chrome and Firefox, improved WebInjects, smarter ‘on-the-fly’ updates to the Trojan, etc…).
The makers of Citadel are trying to keep a low enough profile to avoid gathering too much attention which could result in efforts to go after them (as we have seen with Zeus). Getting your hands on Citadel is more difficult because of a stricter validation process within the Russian underground.
How to protect yourself
When seeing such technically advanced crimekits it puts a lot of things into perspective. The methods used to steal personal information are so advanced and sneaky that even the most cautious user may get fooled. It is best to avoid infection in the first place by using a solution such as Malwarebytes Anti-Malware PRO that constantly protects your computer by blocking malicious sites and files. Using a combination of both safe online practices (if you ever feel uncomfortable disclosing personal information, give your bank a call or ask a friend) and a good anti malware solution will keep you safe(r).
In this post, I will show you how criminals operate a botnet. This is not meant as a tutorial and I do want to stress that running a botnet is illegal and could send you to jail.
A nice home
In order to get into business the bad guys need a server that is hosted at a company that will turn a blind eye on their activities and also guarantee them some anonymity. Such companies are called Bulletproof hosting and can be found in most underground forums (Figure 1).
Figure 1: an ad for Bulletproof hosting
Those hosting firms are for the most part located in countries like
China or Russia and therefore in their own jurisdiction where so long as
you don’t commit crimes against your own people not a whole lot can
happen to you. To cover their tracks even more, the bad guys use proxy
or VPN services that disguise their own IP address.A shiny new toy
Once set up with a server, it is time to install what will be the mastermind program to create and organize an entire array (botnet) of infected computers worldwide. A variety of crimekits exist but in this post we will concentrate on Citadel.
Once again, the core installation files can be found in the underground community or through your own connections. Recently, the Citadel kit was withdrawn from forums to prevent too much exposure and attention. It costs around $3000 USD.
Figure 2 shows what the
package looks like. An instruction manual in both Russian and English is
provided. The kit requires server software such as Apache, and PHP with
a MySQL database to work properly.
Figure 2: the citadel package
To install Citadel, you
simply browse to the install folder with your browser (Figure 3) and set
up the main access username and password as well as database
information.
Figure 3: Citadel’s installation screen
In this testing, the installer did not automatically create the database but you can do so by hand (Figure 4):
Figure 4: creating a database for Citadel’s exploit pack
To finally access the login page, you need to browse to the cp.php file (Figure 5):
Figure 5: Citadel’s login page
Before logging in, I want
to show you the other component that makes this package complete. It is
called the builder (Figure 6) and is essentially used to create the
piece of malware that criminals will distribute (forced installs through
infected websites) and that links to their crimekit.
Figure 6: creating the Citadel bot with the builder
The malware is built to
avoid AV detection and is tested with online virus scanners like
Scan4You, an equivalent to the popular VirusTotal except this one is
totally anonymous and does not share uploaded samples with antivirus
vendors. Speaking of which, once installed on the victim’s machine, the
malware will prevent access to security sites (Figure 7).
Figure 7: a list of antivirus vendors that are blocked by Citadel’s malware
Here is an example of an infection from a Citadel Trojan.Infected PCs all report to the mothership and wait for orders. This is where it gets interesting because making malware is one thing but actually managing your own campaigns is the key to success. The Citadel control panel is well designed and puts a lot of features at your fingertips (Figure 8).
Figure 8: Citadel’s Control Panel
Each feature is actually a
module written in PHP as seen on Figure 9. The control panel gives you
an overview of the machines that have been infected. It’s a sort of
Malware Analytics with stats by country, Operating System, etc…
Figure 9: Citadel’s modules
The main purpose of Citadel is to steal banking credentials and so
it’s no big surprise to see advanced search features to specifically
look for financial institutions (Figure 10).
Figure 10: Citadel’s advanced search features
A password is a password
whether it’d be for a bank or something more common like a Facebook or
Gmail account. In fact, you can customize any site that is of interest
to you and capture the credentials. Notifications of successfully
stolen passwords can be sent via Instant Message through the Jabber
protocol (Figure 11).
Figure 11: Citadel’s custom rules and notifications
Stolen credentials are harvested by various means:- Keystroke logging
- Screenshot capture
- Video capture
It is the ultimate phishing tool because it does not go against any known proper precautions a user would normally take. For instance, the site’s URL is unchanged and shows the secure pad lock with the financial institution’s SSL certificate (Figure 12). This type of hack is also called a man-in-the-middle attack.
Figure 12: Man-in-the-middle attack through webinject
In case this method does not work (some people might get suspicious),
the bad guys can always revert to a more direct approach with some
ransomware. Citadel is also involved in the distribution of the FBI
Moneypak (also known as Reveton) malware which locks the user out of his
computer and demands $200 (Figure 13). It is customized based on the
victim’s country of origin.
Figure 13: Reveton ransomware distributed by Citadel Trojan
Since a lot of people download music and movies from torrents or
other shady sites, the message tricks them into thinking they have been
caught by the local authorities. It’s a very smart scare tactic which
works quite well, unfortunately. To add to the drama, the malware will
attempt to turn on the user’s webcam as if they were already under
surveillance.The FBI has posted an article regarding this scam (http://www.fbi.gov/news/stories/2012/august/new-internet-scam) and urges people to not pay any money as it could get you into even more troubles.
Malwarebytes users are protected against the FBI Moneypak malware. If you aren’t one of them and are already infected you can remove this ransomware by following these 3 steps:
- Reboot your computer into Safe Mode with Networking. (Instructions from Microsoft here)
- Download Malwarebytes Anti-Malware.
- Run Malwarebytes Anti-Malware and remove all malware (Figure 14)
Figure 14: Reveton ransomware Trojan detected by Malwarebytes Anti-Malware.
What’s next for Citadel?The latest version (1.3.5.1) whose code name is Rain Edition is getting pricey at $3931 but it includes a lot of valuable features (advanced support for Chrome and Firefox, improved WebInjects, smarter ‘on-the-fly’ updates to the Trojan, etc…).
The makers of Citadel are trying to keep a low enough profile to avoid gathering too much attention which could result in efforts to go after them (as we have seen with Zeus). Getting your hands on Citadel is more difficult because of a stricter validation process within the Russian underground.
How to protect yourself
When seeing such technically advanced crimekits it puts a lot of things into perspective. The methods used to steal personal information are so advanced and sneaky that even the most cautious user may get fooled. It is best to avoid infection in the first place by using a solution such as Malwarebytes Anti-Malware PRO that constantly protects your computer by blocking malicious sites and files. Using a combination of both safe online practices (if you ever feel uncomfortable disclosing personal information, give your bank a call or ask a friend) and a good anti malware solution will keep you safe(r).
Security firm McAfee warns that 
A mysterious group of computer hackers has spent four years spying
on the South Korea military, US security software maker McAfee has said,
citing evidence uncovered from malicious software samples.
Posts
