The FraudAction Research Lab has recently analyzed a Zeus 188.8.131.52 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan (think of the Borg on Star Trek). RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, to yet another summer home – Citadel infrastructures.
Zeus 184.108.40.206 is a commercially available upgrade of the Zeus 220.127.116.11 banking Trojan (which was the last “true” variant released by the original coder, Slavik and his developers team). This Trojan does not present any features much different than its predecessor.
RSA researchers have studied a Zeus 18.104.22.168 variant that runs on infected machines, seconds later calling for a download of an additional Trojan: a Citadel v22.214.171.124 variant. Although the Lab already saw Zeus botnets replaced by Ice IX botnets, this is one of the first instances analyzed of the Trojan calling for a Citadel replacement onto the infected PC.
Could this be botnet-hijacking? Not very likely, since the Citadel keeps all the same triggers and is called for internally by the Zeus itself and not via an external actor.
The Citadel variant downloaded into the Zeus-infected bot does have different resources and a different drop point (almost ruling-out botnet hijacking). It is very possible that this is a gradual move of the whole botnet to a ‘new home’.
The addition of a Citadel variant is a little peculiar on one hand because that creates two parallel infections on the same bot. On the other hand, it is quite logical if the botmaster intends to gradually move the botnet to the new domain and work with the Citadel Trojan instead.
Citadel was originally based on the Zeus source code and is probably the strongest development of the Trojan thus far. What can Citadel offer a Zeus botmaster that he does not get with Zeus? The developers offer solid technical support, the Citadel CRM, Trojan upgrades, and up-to-date plug-ins and injections, for starters. To finalize such a move, all the botmaster will have to do once the process is complete, is send a command to the Zeus Trojan and disable it altogether.
Is Zeus’ time in the cybercrime arena up? That is very possible. Today’s Zeus-based codes can no longer be named “Zeus.” The last real Zeus was, as mentioned earlier, Zeus 126.96.36.199. Even the v188.8.131.52 development was upgraded by someone outside the original team.
Citadel, Ice IX, Odin, and any other code based on the old king’s exposed source code will each have their own name. It’s only a matter of time before botmasters will move away from Zeus to Trojans for which the development of upgrades and new features continue to thrive. We will likely see less of Zeus on the monthly charts – although its offspring will live on.