Now You Z-(eus) It, Now You Don’t: Zeus Bots Silently Upgraded to Citadel

Categories: Fraud Intelligence

The FraudAction Research Lab has recently analyzed a Zeus 2.1.0.1 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan (think of the Borg on Star Trek).  RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, to yet another summer home – Citadel infrastructures. 

Zeus 2.1.0.1 is a commercially available upgrade[1] of the Zeus 2.0.8.9 banking Trojan (which was the last “true” variant released by the original coder, Slavik and his developers team). This Trojan does not present any features much different than its predecessor. 

RSA researchers have studied a Zeus 2.1.0.1 variant that runs on infected machines, seconds later calling for a download of an additional Trojan: a Citadel v1.3.2.0 variant. Although the Lab already saw Zeus botnets replaced by Ice IX botnets, this is one of the first instances analyzed of the Trojan calling for a Citadel replacement onto the infected PC.

Could this be botnet-hijacking? Not very likely, since the Citadel keeps all the same triggers and is called for internally by the Zeus itself and not via an external actor.

The Citadel variant downloaded into the Zeus-infected bot does have different resources and a different drop point (almost ruling-out botnet hijacking). It is very possible that this is a gradual move of the whole botnet to a ‘new home’.

The addition of a Citadel variant is a little peculiar on one hand because that creates two parallel infections on the same bot. On the other hand, it is quite logical if the botmaster intends to gradually move the botnet to the new domain and work with the Citadel Trojan instead.

Citadel was originally based on the Zeus source code and is probably the strongest development of the Trojan thus far. What can Citadel offer a Zeus botmaster that he does not get with Zeus? The developers offer solid technical support, the Citadel CRM, Trojan upgrades, and up-to-date plug-ins and injections, for starters. To finalize such a move, all the botmaster will have to do once the process is complete, is send a command to the Zeus Trojan and disable it altogether.

Goodbye Zeus?

Is Zeus’ time in the cybercrime arena up?  That is very possible.  Today’s Zeus-based codes can no longer be named “Zeus.”  The last real Zeus was, as mentioned earlier, Zeus 2.0.8.9.  Even the v2.1.0.1 development was upgraded by someone outside the original team.

Citadel, Ice IX, Odin, and any other code based on the old king’s exposed source code will each have their own name. It’s only a matter of time before botmasters will move away from Zeus to Trojans for which the development of upgrades and new features continue to thrive.  We will likely see less of Zeus on the monthly charts – although its offspring will live on.



[1] Not to be confused with the Zeus 2.1.0.10 – a private development discovered by RSA and reported in September 2011.)

RSA FraudAction Research Labs
Author:

The RSA FraudAction Research Lab is made up of some of RSA's most experienced internet security researchers, engineers and intelligence professionals with expertise in vulnerability research, reverse engineering and in-depth malware analysis. In this blog we report real-time developments in electronic crime, those who perpetrate it and the tools and methods they use. Research Lab blog posts bring you this diverse team's unprecedented insight, findings and opinions on topics including Underground Economy and fraud trends, fresh news from the world of cybercrime, information about Trojans, Phishing techniques, Botnets and how fraud from the online realm touches day-to-day life in the real world. Subscribe to The RSA Fraud Action Research Lab's RSS feed