The Italian Honeynet Project

[..]The recent feature was christened under the name “Dynamic Config,” a technology implemented in Citadel v1.3.5.1 “Rain Edition” enabling botmasters smoother, quicker interactions with the victim through browser injection technology. Today’s fraud happens in real time, so speed is of the essence. This nifty function allows Trojan operators to create web injections and use them on the fly, pushing them to selected bots without the hassle of pushing/downloading an entire new configuration file.

How does this happen? It’s actually quite simple. Citadel-infected machines are going to have an instruction to reach out to the C&C every 2 minutes and update themselves with a predefined file where injection “packs” will be ready to go. The whole system will be managed by a clever distribution mechanism dictating which injections go to which bot or group of bots. The format will be fully “Zeus-compatible,” of course. [..]

via Citadel V1.3.5.1: Enter the Fort’s Dungeons « Speaking of Security – The RSA Blog and Podcast.

[..]

Although they did not disclose any specific details about how the so called detection actually works, we could inspect it a bit further. It simply scans through the resources of the currently running processes and looks for specific patterns for instance inside the “CompanyName” field, such like:vmwaresandboxvirtualboxgeswallbufferzonesafespaceNevertheless, the tricky part comes here. When a virtualized environment detected, unlike many other Trojans that stop to work, Citadel will continue to operate, but behaves in a different manner. It will generate a unique-machine dependent domain name obviously fake and tries to connect to this server unsuccessfully, making it to believe that the bot is dead and its command and control server is offline, meanwhile the real C&C domain is kept hidden.

[..]

via S21sec Security Blog: Citadel Updates: Anti-VM and Encryption change.

The announcement of a new version of Citadel has been recently spotted in a public forum.

The Citadel 1.3.4.5 version adds several interesting features, like an anti-emulator, and a new encryption algorithm based on RC4.

[...]

[+] Added antiemulyator, which allows you to protect your botnet on the reversing and getting into trackers. When you start, build a detective that he was running in a virtual machine or a sandbox CWSandbox, VMware, Virtualbox, Sandbox, he starts to behave differently and your botnet go unnoticed. Details were not disclosed, tks announcement is in the Public and the technology is very tricky.

[...]

[+] Since the previous encryption algorithm has been hacked a few months later, because of this, some customers got into ZeusTracker. We have developed and implemented a new encryption algorithm based on modified RC4. In cryptography uses a special key known only to the client. that requires its presence for decryption. Because each client’s own indvidualny key, now from one client will not suffer all the rest. If you got one, others will be protected from this. Now we are completely isolated from the automatic analysis builds. As a result, we obtain the two-level authorization, protection from the boat trackers.

[...]

via Update to Citadel : v.1.3.4.5 | Malwares dont need Coffee.

The Research page has just been updated with all our recent activities and the results reached so far.

A special thanks to all the graduated student from UNIMI-DTI who have contributed  in our project. Hope to see you again around us guys!

I’d like to communicate that  the Status Report of 2011 is now available here.

Tinba is a small data stealing trojan-banker. It hooks into browsers and steals login data and sniffs on network traffic. As several sophisticated banker-trojan it also uses Man in The Browser (MiTB) tricks and webinjects in order to change the look and feel of curtain webpages with the purpose of circumventing Two factor Authentification (2FA) or tricking the infected user to give anyway additional sensitive data such as credit card data or TANs.
[...]
The code is approx 20KB in size (including config and webinjects) and comes simple and clear without any packing or advanced encryption. Antivirus detection of the analyzed samples is low.
[...]
As observed in several other Trojan-bankers and advanced malwares, Tinba utilizes a RC4 encryption algorithm when communication with its Command & Control (C&C) servers. Tinba uses four hardcoded domains for its C&C communication. This is done to avoid one domain from being nonresponsive and thus losing communication with its drones. If the first domain does not respond properly, Tinba simply moves on to the next domain down the chain. Updates are retrieved from the C&C server using an encrypted string to EHLO the C&C. If C&C server survives certain checks, then the before mentioned files are downloaded and executed on the infected host. C&C communication is illustrated below.
[...]

CSIS: Say hello to Tinba: World’s smallest trojan-banker.

When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs.com/locker/lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it’s currently unavailable because the site is offline.

via ZeuS Ransomware Feature: win_unlock – F-Secure Weblog : News from the Lab.

A new fraudulent scheme of Tatanga has been recently spotted by Trustee:

The victim is then presented with a fake insurance account that claims to cover the total amount of funds in their bank account. This fake insurance account is actually a real bank account that belongs to a money mule. The victim is told that they will be protected against any losses from online fraud by this insurance coverage. In the final step, the victim is prompted to authorize a transaction that they believe is to activate the insurance coverage. In all likelihood, the victim does not expect any funds will be transferred out of their account.

To approve the transaction the victim enters a one-time SMS password that is sent to their mobile device. Unfortunately, the victim is actually approving a transfer of funds from their account to the fraudster’s money mule account.

via A New Twist: Fraudulent Fraud Insurance | Trusteer.

The FraudAction Research Lab has recently analyzed a Zeus 2.1.0.1 variant downloading an additional Trojan into infected PCs by fetching a Citadel Trojan think of the Borg on Star Trek. RSA is witness to many Zeus botmasters who upgraded and moved up to Ice IX neighborhoods, and now, to yet another summer home – Citadel infrastructures.

Zeus 2.1.0.1 is a commercially available upgrade[1] of the Zeus 2.0.8.9 banking Trojan which was the last “true” variant released by the original coder, Slavik and his developers team. This Trojan does not present any features much different than its predecessor.

RSA researchers have studied a Zeus 2.1.0.1 variant that runs on infected machines, seconds later calling for a download of an additional Trojan: a Citadel v1.3.2.0 variant. Although the Lab already saw Zeus botnets replaced by Ice IX botnets, this is one of the first instances analyzed of the Trojan calling for a Citadel replacement onto the infected PC

[...]

via Now You Z-eus It, Now You Don’t: Zeus Bots Silently Upgraded to Citadel « Speaking of Security – The RSA Blog and Podcast.

Symantec has recently blogged about a new version of the P2P variant of the Zeus/SpyEye trojan.

Below some of the most interesting new features:

Communication channel

P2P seems to be the new botnet architecture instead of the old central C&C which has been preferred until now.  This change will dreastically impact on all the monitoring techniques/tools  that are currently used nowadays to face Zeus and SpyEye. Takedown methodologies will also be affected to this new feature.

UDP instead of TCP

A proprietary UDP handshake (port-knocking) is used to establish the communication between the bot and its peers, AND (controversially to its previous version) exchange data between them i.e. configuration files.

Changes in the compression and encryption

The main encryption scheme has not changed from the Zeus 2.x versions ( XOR+RC4), however, a new encryption layer has been added which consist in  a byte-per-byte XOR applied to each block of the configuration.
The pseudo code follows:

XorKey = ((BlockSize << 0×10) | BlockId) | (XorSeed << 8 )

Lastly,  the usual Nrv2b compression has switched to the Zlib 1.2.5 one.

Any node can now provide malwares

Due to the nature of a de-centralized network, now every node can act as the main C&C thanks to a nGinx minimal webserver which every bot comes with.

To note that -controversially to previous Zeus and SpyEye versions- some of the bots observed by Symantec were distributing malware binaries too.