As of April 30th, 2012 the Citadel Trojan was at its fourth upgrade with Version 126.96.36.199 already in the hands of its customers. Citadel’s features, bug fixes and added modules (each priced separately), have long gone beyond what Zeus ever offered as Slavik’s zeal for developing the malware died down when law enforcement got too close for the Trojan creator’s comfort.
One of the features included in the initial report and communicated by Citadel’s developers in late February related to a Trojan feature the developers have apparently implemented: DNS Redirection. Per the feature list, the developer claims that unlike other Trojans, Citadel does not modify the “Hosts” file on the infected PC (all too often used for local Pharming), but rather allows the botmaster to block or redirect any URL they wish to prevent the bot from reaching.
The FraudAction Research Lab has recently analyzed a Zeus 188.8.131.52 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan. RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, to yet another summer home – Citadel infrastructures.
The RSA Research Lab investigates and monitors a large number of malicious cybercrime servers operating in the wild. The tool of choice this time – Zeus v184.108.40.206, the most advanced variant of Zeus to date. The end result: endless logs of compromised financial data and untold numbers of wire-fraud transactions.
Since the Zeus source code was leaked, one of the predictions security researchers were convinced of was that independent code writers, wishing to enter cybercrime coder’s world, would be glad to do it by using a ready-made baseline. One such code to have surfaced in underground and hacking forums soon after the code leak was Trojan Ice IX. But is it all what it is cracked up to be?
Since the most coveted source code of the Zeus Trojan was leaked, one of the predictions security researchers were convinced of was that the exposed code would attract the attention of independent code writers. That day was not late to come as a new commercial Trojan, Ice IX, has arrived.
The RSA FraudAction Research Lab recently discovered a novel Trojan feature annexed to SpyEye Trojan variants (v1.03.45) and to Zeus Trojan variants (v220.127.116.11), made to maliciously target the Bitcoin e-currency system. The Trojans are now being used by their operators in a practice designed to leverage the extended botnet in order to mine Bitcoins. This blog elaborates on what Bitcoins are, on the technical aspect of this new Trojan module as well on some of the possible implications this may have for fraudsters, anti-fraud researchers and others in the near future.
Fraud News Flash – The Downfall of the Mighty – Zeus Trojan’s Source Code Leaked and Now Available Everywhere
Word of yet another historical moment in cybercrime is quickly spreading through the fraud underground and through the legitimate web – the Zeus Trojan’s source code has been made public and is now freely available to anyone wanting a piece of the infamous old “King of Trojans.”
The RSA FraudAction Research Lab recently discovered evidence of cybercriminal attempts to sabotage the Swiss white hat site, abuse.ch through new plug-ins to the latest SpyEye Trojan variants found in the wild. This move is significant in that it shows how fraudsters are eager to damage the non-profit website’s availability and credibility – a sign of the apparent effectiveness of SpyEye Tracker and that it represents more than just a thorn in the side of many Zeus- and SpyEye-toting botmasters.