Citadel – An Open-Source Malware Project

A few weeks ago, Brian Krebs reported on Citadel, a new variant of the Zeus Trojan.
Citadel creators decided to provide this new variant in a Software-as-a-Service (SaaS) model, which seems to be a rising trend in the cybercrime ecosystem.

The developers did not stop there. They created a social network that enables the customers of Citadel (other cybercriminals) to suggest new features and modules to the malware, report bugs and other errors in the system, comment and discuss related issues with fellow customers. This CRM (Customer Relationship Management) platform has explosive potential, as it harnesses the accumulative knowledge and resources of its cyber community.

Based on the fact that the Zeus source-code went public in 2011, the Citadel community indeed became active, and started contributing new modules and features. This recent development may be an indication of a trend in malware evolution – an open-source malware.

We have previously discussed trends in malware evolution, where the sophistication level is continuously rising, especially on the server side, as malware kits have become the mainstream among cybercriminals.

Open-source malware evolves faster

Seculert’s Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011. The level of adoption and development of Citadel is rapidly growing, and since then Seculert has identified over 20 different Citadel botnets (See figures 1 and 2 for statistics), using the following different versions of the malware:

• 1.1.0.0
• 1.1.3.0
• 1.1.5.1
• 1.2.0.0
• 1.2.4.0

Figure 1: Administration Panel of Citadel v1.2.4.0 botnet

Figure 2: Infection rate per country of several Citadel botnets, infecting over 100,000 machines

Each version added new modules and features, some of which were submitted by the Citadel customers themselves, including:

• AES Encryption – The customer can decide whether to encrypt the malware configuration file and communication with the C&C server, with RC4 encryption (used by old Zeus versions) or AES encryption.
• Avoiding Trackers Detection – Zeus tracking websites (e.g. Zeus Tracker, Malware URL, etc.) help in shutting down Zeus botnets by reporting on new Zeus C&C servers. Citadel now requires a specific botnet key in order to download malware updates and configuration files, in a hope to not be detected by those trackers.
• Security vendors websites blacklist – Machines infected with Citadel cannot access websites of information security vendors. This blocks the option to download new security products, or get updates from currently installed products (e.g. Anti-Virus updates).
• Trigger-based Video Recording – Record videos (using MKV codec) of the infected machine activity, in case the victim visits a specific website. A customer can decide whether to receive a malware builder with or without this module, mainly because this feature requires a lot of space on the malware C&C server.

Similar to legitimate software companies, the Citadel authors provide their customers with a User Manual, Release Notes and a License Agreement (see Figures 3 and 4).

Figure 3: Citadel v1.2.4.0 Release Notes (Translated by Google Translate)

Figure 4: Citadel License Agreement (Translated by Google Translate)

Following this recent embracement of trends from the legitimate business world, we suspect that the open-source model may be the next growing trend. The cybercrime world is characterized by rapid development, cutting-edge technology, and hackers’ constant cravings for recognition. By looking at the developments in the software world, the open-source model may be well accepted in the cybercrime ecosystem as well.