Citadel virus still active
Posted by: TimW on 07/03/2013 02:52 PM
[
Comments
]
We reported a little while back about the government and Microsoft taking down approximately 12,000 Citadel botnets.
“We did see a lot of effort to create custom scripts per local infection. The dropdowns are localized and there are specific data elements for different geographies,” said Etay Maor, Trusteer fraud prevention solutions manager. “This group localized things a person from a specific country would expect to see. They went to great effort to localize this.”
“They have a different way of storing data and have built databases for regions. That makes me think they’re going to sell the information rather than use it,” Maor said. Localized credentials, for example, have more value than a scattered list of user names and passwords. “For people who sell credentials, it’s a big difference to say they have 100 Italian credentials. For example, it doesn’t help to have American account information if you’re working in Italy. You can use it, but you need an accomplice who knows the local rules.”
“What we’ve seen is an interesting group, a low-profile team. This variant is not sold as we’ve seen other variants sold,” Maor said. “The distribution isn’t huge, but it is significant. They’re very good at protecting stored stolen credentials, and very good at making the malware hard to research. These are not your average hackers; they didn’t just buy a version of the Citadel malware. They took the extra step to make it covert and sustainable, and to localize it.”
“You can see the injections are professional. There are no grammar mistakes and the logos all look real,” Maor said, adding that victims are likely infected via drive-by downloads. “But if you log into Amazon and you see a screen you’ve never seen before, even one that warns you that your account will be shut down, you should be a little more skeptical.”
“They disrupted more than 1,000 botnets operated by Citadel, but it’s important that people understand that while the operation was important, it didn’t solve the problem,” Maor said. “They disrupted botnets that were up and running, but anyone who has the Citadel builder can build a new variant and distribute it. They didn’t eliminate Citadel. Yeah, business took a hit, but it can be recreated.”
“We did see a lot of effort to create custom scripts per local infection. The dropdowns are localized and there are specific data elements for different geographies,” said Etay Maor, Trusteer fraud prevention solutions manager. “This group localized things a person from a specific country would expect to see. They went to great effort to localize this.”
“They have a different way of storing data and have built databases for regions. That makes me think they’re going to sell the information rather than use it,” Maor said. Localized credentials, for example, have more value than a scattered list of user names and passwords. “For people who sell credentials, it’s a big difference to say they have 100 Italian credentials. For example, it doesn’t help to have American account information if you’re working in Italy. You can use it, but you need an accomplice who knows the local rules.”
“What we’ve seen is an interesting group, a low-profile team. This variant is not sold as we’ve seen other variants sold,” Maor said. “The distribution isn’t huge, but it is significant. They’re very good at protecting stored stolen credentials, and very good at making the malware hard to research. These are not your average hackers; they didn’t just buy a version of the Citadel malware. They took the extra step to make it covert and sustainable, and to localize it.”
“You can see the injections are professional. There are no grammar mistakes and the logos all look real,” Maor said, adding that victims are likely infected via drive-by downloads. “But if you log into Amazon and you see a screen you’ve never seen before, even one that warns you that your account will be shut down, you should be a little more skeptical.”
“They disrupted more than 1,000 botnets operated by Citadel, but it’s important that people understand that while the operation was important, it didn’t solve the problem,” Maor said. “They disrupted botnets that were up and running, but anyone who has the Citadel builder can build a new variant and distribute it. They didn’t eliminate Citadel. Yeah, business took a hit, but it can be recreated.”
Comments
