By Hook and by Crook – Citadel Trojan Isolates Bots from AV and Security

The Citadel Trojan was first introduced for sale to cybercriminals in the Russian-speaking underground in February 2012. The Trojan, which was initially based on the Zeus Trojan’s exposed source code, is already at its second upgrade release, version, which was shared with its customer-base on March 15th.

One of the features included in the initial report and communicated by Citadel’s developers in late February related to a Trojan feature the developers have apparently implemented: DNS Redirection. Per the feature list, the developer claims that unlike other Trojans, Citadel does not modify the “Hosts” file on the infected PC (all too often used for local Pharming), but rather allows the botmaster to block or redirect any URL they wish to prevent the bot from reaching.

To add value for their customers, the developers went the extra mile to add a list of AV software providers and security scans to the DNS redirection lists embedded into the configuration. On a change-log posting from the team, the developer specified that at least 104 different security-vendor URLs were added to this feature.

Fix/ Change applied by Citadel Team


DNS redirection

Any URL can now be blocked/redirected, undetectable by heuristics. For example, block AV servers or redirect bank pages to a different host.

Bonus: The list of popular AV server URLs to block was included.

 Note: The redirection does not happen through the victim’s “Hosts” file.

Citadel Process Hooks Tamper with DNS Response, Isolate Bots from AV and Security Scans

RSA researchers were able to confirm that the DNS-redirection method embedded into the Citadel configuration file was not a feature available in the original Zeus Trojan—it is new programming, courtesy of the Citadel team.

Note that unlike local Pharming Trojans, in the case of Citadel this feature is not designed for redirection to malicious sites or phishing, but rather in order to isolate the victim from all AV and security providers. Preventing the user from browsing to AV scans or getting the software will also limit sampling of each variant.

The redirection action works by installing hooks on two specific Windows APIs: gethostbyname and getaddrinfo.

Whenever an infected process calls one of these functions in order to resolve a host name, the call will be passed through Citadel routines, where the redirection information and action list will dictate the next step.

The Trojan will call the original function, and make a choice based on these three options:

  • If the call for the URL requested fails (address doesn’t exist, no network connection etc.) –> return an error.
  • If the call for the URL requested succeeds –> search own config for a matching address and IP mask, and if found, return the configured fake address to the victim.
  • If the call for the URL requested succeeds and no matching IP mask is found in the Citadel config –> return the original address to the victim.

The ‘reply’ resulting would appear like a genuine DNS response per the victim’s query. Note that this channeling will only interfere with users’ requests when they attempt to contact a “Forbidden” URL, but will return the correct result in all other cases.

The Citadel Trojan’s configuration contained more than 650 different URLs of a large variety of AV-providers and security scanning services based out of different countries (USA, DE, RU and more). Each ‘forbidden’ URL was followed by a “=” mark and the IP mask address to which the botmaster wants the victim rerouted.

Citadel Resource Camouflage Dresses a Wolf in Sheep’s Clothing

Another interesting feature analyzed by RSA researchers appeared in a Citadel variant, raising questions as to redirection scheme to Citadel resources. At first sight, the analysis result seemed somewhat peculiar, showing that Citadel was using legitimate URLs as its C&C’s drop point as well as the configuration update point (Google, CNET).

In the case analyzed, such legitimate URLs included the Google toolbar and the download site at The infected PC’s “hosts” file remained untouched, as did the proxy settings within the victim’s browser. So what was being changed?

A “Checkfile” run exposed an equation from the Citadel configuration file, revealing the true destination of each—Citadel uses legitimate URLs which are being redirected to its resources.

The analysis of this feature showed that the Trojan’s query resolved (in memory), ending at an entirely different IP address; the DNS query confirmed the findings which were quite evidently typical Trojan resources.

hxxp://|ip=184.82… (censored by RSA)hxxp://|ip=64.120… (censored by RSA)

This camouflage method ‘dresses’ the malware resource with the name of innocuous popular services that will allow the Trojan to access its update point without being stopped by blacklists or tracking.

As reported recently by RSA, Citadel is just one of the many offspring of the infamous Zeus that is making great strides in the black market through rapid development.  This strain of financial malware is definitely on the “one to watch” list.

Leave a Reply

Your email address will not be published. Required fields are marked *