Zeus Trojan

Common Indicators Used to Find Evil

By Grant Warkins Advisory Practice Consultant RSA/NetWitness Incident Response Based on the last few Incident Response engagements I’ve participated in, the most common question I’ve heard is “what are the common indicators you are using to find evil?” This is not a question that has a simple answer.  In this blog post, I’ll examine a…

Citadel Outgrowing its Zeus Origins

By Limor S Kessem, Cybercrime and Online Fraud Communications Specialist, RSA As of April 30th, 2012 the Citadel Trojan was at its fourth upgrade with Version 1.3.4.0 already in the hands of its customers. Citadel’s features, bug fixes and added modules (each priced separately), have long gone beyond what Zeus ever offered as Slavik’s zeal…

By Hook and by Crook – Citadel Trojan Isolates Bots from AV and Security

The Citadel Trojan was first introduced for sale to cybercriminals in the Russian-speaking underground in February 2012. The Trojan, which was initially based on the Zeus Trojan’s exposed source code, is already at its second upgrade release, version 1.3.3.0, which was shared with its customer-base on March 15th. One of the features included in the…

Now You Z-(eus) It, Now You Don’t: Zeus Bots Silently Upgraded to Citadel

The FraudAction Research Lab has recently analyzed a Zeus 2.1.0.1 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan (think of the Borg on Star Trek).  RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, to yet another summer home – Citadel…