Citadel Malware Authors Adopt Open-Source Development Model

Attackers and malware authors are well-known for their proclivity for taking whatever tactics and techniques work for others and making them their own. That adaptive ability has now extended to the idea of open-source projects, with one malware gang having set up its own community for improving and updating a piece of malware known as Citadel, a derivative of Zeus.

Attackers and malware authors are well-known for their proclivity for taking whatever tactics and techniques work for others and making them their own. That adaptive ability has now extended to the idea of open-source projects, with one malware gang having set up its own community for improving and updating a piece of malware known as Citadel, a derivative of Zeus.

Citadel is one of a number of newer versions of Zeus that has cropped up since the Zeus source code became public last year. That event gave a broad new set of attackers access to one of the more powerful crimeware kits in ciruclation, and experts said at the time that they expected more attacks using the kit. Citadel emerged a few weeks ago, and researchers began seeing botnets based on a handful of variants of the malware by mid-December.

Now, researchers at Seculert say that they have identified more than 20 different botnets based on several separate iterations of Citadel. But, more than that, the group or groups behind Citadel have developed a community of customers and contributors around the malware that is suggesting new features, contributing code and modules. Some of the capabilities that have been added to recent versions of Citadel include AES encryption of the malware config file and communications with the C&C server, the ability to evade tracking sites, blocking of access to security sites and the ability to record videos of victim activities.

“[The Citadel developers] created a social network that enables the customers of Citadel (other cybercriminals) to suggest new features and modules to the malware, report bugs and other errors in the system, comment and discuss related issues with fellow customers. This CRM (Customer Relationship Management) platform has explosive potential, as it harnesses the accumulative knowledge and resources of its cyber community,” Seculert researchers said in a blog post.

“Following this recent embracement of trends from the legitimate business world, we suspect that the open-source model may be the next growing trend. The cybercrime world is characterized by rapid development, cutting-edge technology, and hackers’ constant cravings for recognition. By looking at the developments in the software world, the open-source model may be well accepted in the cybercrime ecosystem as well.”

Seculert CTO Aviv Raff said that he had not seen this kind of rapid development and community contribution before among malware authors. The only somewhat similar situation he could recall was the development activity of the merged Zeus and SpyEye malware.

Suggested articles