[..]The recent feature was christened under the name “Dynamic Config,” a technology implemented in Citadel v1.3.5.1 “Rain Edition” enabling botmasters smoother, quicker interactions with the victim through browser injection technology. Today’s fraud happens in real time, so speed is of the essence. This nifty function allows Trojan operators to create web injections and use them on the fly, pushing them to selected bots without the hassle of pushing/downloading an entire new configuration file.

How does this happen? It’s actually quite simple. Citadel-infected machines are going to have an instruction to reach out to the C&C every 2 minutes and update themselves with a predefined file where injection “packs” will be ready to go. The whole system will be managed by a clever distribution mechanism dictating which injections go to which bot or group of bots. The format will be fully “Zeus-compatible,” of course. [..]

via Citadel V1.3.5.1: Enter the Fort’s Dungeons « Speaking of Security – The RSA Blog and Podcast.