Citadel virus still active
Posted by: TimW on 07/03/2013 10:52 AM
[
Comments
]
We reported a little while back about the government and Microsoft taking down approximately 12,000 Citadel botnets.
âWe did see a lot of effort to create custom scripts per local infection. The dropdowns are localized and there are specific data elements for different geographies,â said Etay Maor, Trusteer fraud prevention solutions manager. âThis group localized things a person from a specific country would expect to see. They went to great effort to localize this.â
âThey have a different way of storing data and have built databases for regions. That makes me think theyâre going to sell the information rather than use it,â Maor said. Localized credentials, for example, have more value than a scattered list of user names and passwords. âFor people who sell credentials, itâs a big difference to say they have 100 Italian credentials. For example, it doesnât help to have American account information if youâre working in Italy. You can use it, but you need an accomplice who knows the local rules.â
âWhat weâve seen is an interesting group, a low-profile team. This variant is not sold as weâve seen other variants sold,â Maor said. âThe distribution isnât huge, but it is significant. Theyâre very good at protecting stored stolen credentials, and very good at making the malware hard to research. These are not your average hackers; they didnât just buy a version of the Citadel malware. They took the extra step to make it covert and sustainable, and to localize it.â
âYou can see the injections are professional. There are no grammar mistakes and the logos all look real,â Maor said, adding that victims are likely infected via drive-by downloads. âBut if you log into Amazon and you see a screen youâve never seen before, even one that warns you that your account will be shut down, you should be a little more skeptical.â
âThey disrupted more than 1,000 botnets operated by Citadel, but itâs important that people understand that while the operation was important, it didnât solve the problem,â Maor said. âThey disrupted botnets that were up and running, but anyone who has the Citadel builder can build a new variant and distribute it. They didnât eliminate Citadel. Yeah, business took a hit, but it can be recreated.â
âWe did see a lot of effort to create custom scripts per local infection. The dropdowns are localized and there are specific data elements for different geographies,â said Etay Maor, Trusteer fraud prevention solutions manager. âThis group localized things a person from a specific country would expect to see. They went to great effort to localize this.â
âThey have a different way of storing data and have built databases for regions. That makes me think theyâre going to sell the information rather than use it,â Maor said. Localized credentials, for example, have more value than a scattered list of user names and passwords. âFor people who sell credentials, itâs a big difference to say they have 100 Italian credentials. For example, it doesnât help to have American account information if youâre working in Italy. You can use it, but you need an accomplice who knows the local rules.â
âWhat weâve seen is an interesting group, a low-profile team. This variant is not sold as weâve seen other variants sold,â Maor said. âThe distribution isnât huge, but it is significant. Theyâre very good at protecting stored stolen credentials, and very good at making the malware hard to research. These are not your average hackers; they didnât just buy a version of the Citadel malware. They took the extra step to make it covert and sustainable, and to localize it.â
âYou can see the injections are professional. There are no grammar mistakes and the logos all look real,â Maor said, adding that victims are likely infected via drive-by downloads. âBut if you log into Amazon and you see a screen youâve never seen before, even one that warns you that your account will be shut down, you should be a little more skeptical.â
âThey disrupted more than 1,000 botnets operated by Citadel, but itâs important that people understand that while the operation was important, it didnât solve the problem,â Maor said. âThey disrupted botnets that were up and running, but anyone who has the Citadel builder can build a new variant and distribute it. They didnât eliminate Citadel. Yeah, business took a hit, but it can be recreated.â
Comments
