When the NSA cannot protect itself from leakers, what hope has the criminal underground? There is no honor among thieves.
Over the last few days, another financial malware trojan had its source code leaked. Unlike the slim 38MB Zeus 220.127.116.11, the behemoth Carberp leak weighs in at 5.53GB when decompressed.
When studied, the Carberp zip file contains much more than its source code. There’s a copy of the already leaked Zeus 18.104.22.168 and, even more interesting, there’s a copy of Citadel.
What is Citadel?
When the Zeus 22.214.171.124 source code leaked in 2011, we expected it would be studied, dissected, tweaked, and improved upon. It was. The financial community was rapidly hit with ICE IX. With the help of the arch wizards at Abuse.ch, ICE IX was defeated rapidly. Then random versions attacked financial servers, but most were defeated easily. Two notable exceptions occurred, the first, which some call Zeus v3 (or “gameover”) evolved a new way of hiding command and control servers from security groups. It was good, but there was little in the way of new functionality.
Then came Citadel. Citadel added new functionality; it even implemented features and functionality by request (once 50 percent of the fee was paid in advance). It had proper support and trouble ticketing, and it even had “get support from a botmaster” programs to get you up and running. Citadel could watch victims’ mouseclicks and give feedback as to whether they were falling for a botmaster’s social engineering attacks. It blocked researchers’ IP addresses, and it guaranteed non-detection from leading antivirus packages. Out of self-preservation, Citadel deactivated if it was installed on a device with the Russian language installed. Who, after all, wants a 3 a.m. visit from the FSB (Russia’s FBI)? Citadel was a game changer, and it all evolved from a malware leak, just like we have here.
What’s in the Zip?
The Carberp source code is there, and it’s not the prettiest nor is it the most organized. Over the next few weeks, in badly lit rooms, it will be tweaked, optimized, and likely merged with other kits. The updated webinjects especially will be studied, as they are key to fooling bank users into parting with their credentials for both online bank fraud and cross-channel fraud (that special feeling when you receive a genuine email from your bank stating your home loan has been approved, though you didn’t apply for one). As I’ve written in the past, the Zeus source code leak was a turning point for financial malware. There are many ways to attack browsers, and not all are as resistant as they should be. A long hot summer has indeed begun.
The rest of the zip is a treasure trove. Citadel is there together with the source code for both Zeus 126.96.36.199 and Sinowal/Torpig, the infamous Mystic Compressor, Anti-Trusteer tools (vendor is aware and reacted appropriately), and tens of advanced malware writer tools. This is not for script kiddies, but for those with bad intentions and good skills, it may launch some new careers.
If you want to learn how to use these tools to protect your own networks and understand your newly-equipped enemy, NSS is teaching a course on Advanced Botnets at BlackHat in September 2013. Zeus and Citadel are on the menu. Hope to see you there.