"Citadel," a deceptive and dangerous online-banking Trojan, is quickly spreading and stealing because its authors have created an open-source development platform that allows customers to purchase a kit to create new strains, and to collaborate with fellow hackers.
On his Krebs on Security blog, noted researcher Brian Krebs delved into the underworld of the Citadel hacking community, a world open to anyone who purchases a license for the Citadel Trojan open-source software. Along with the license, buyers are given a user manual and license agreement, as well as access to the Citadel Store, a type of blackboard on which hackers can share tips and collaborate towards building a better, more effective strain of the Trojan.
Those tips include new features to increase Citadel's potency, such as plugins that scope out specific files on a victim's computer and a "mini-antivirus" program designed to wipe out any other malware on a computer that "may prevent Citadel from operating cleanly or stealthily," Krebs wrote.
Because of their advanced capabilities and evasive nature, banking Trojans are historically difficult to detect. Making them open-source keeps the miscreants a step ahead of those trying to stop them. Krebs said there are currently nine different Citadel modules open to vote and comment by the Citadel hacking community. Its collaborative design, he said, is keeping Citadel strong.
Though it's relatively new on the malware scene, Citadel is a version of the notorious Zeus Trojan, which for years has been a powerful cybercriminal weapon; in September 2010, 48 people in the U.S. and Eastern Europe were charged with using Zeus to infect PCs and steal almost $9.5 million from British banks. This spring, Zeus' source code was leaked.
Aviv Raff from the Israeli-based threat management firm Seculert has been tracking Citadel's growth as well; he found that, since it was detected on Dec. 17, "The level of adoption and development of Citadel is rapidly growing, and since then Seculert has identified over 20 different Citadel botnets."
Raff found more community-submitted tips used to bolster Citadel, including new modules that include a blacklist of security vendors' websites, meaning machines infected with Citadel cannot access anti-virus software websites and therefore, victims cannot receive anti-virus updates that would potentially detect or even eliminate the threat.
Both Raff and Krebs agree that, with its open-source platform and the same collaborative, crowdsourcing model used by legitimate businesses, Citadel is likely to continue to grow, and, worse, to develop into more potent strains.