Covering the global threat landscape PROSECTING THE CITADEL BOTNET – REVEALING THE DOMINANCE OF THE ZEUS DESCENDENT

Recent years have seen a signifi cant rise in cybercriminal activities, and in particular the theft of online banking credentials. The majority of cybercriminals use automated exploitation frameworks to infect computers and exfi ltrate data. The most widely used weapons in this type of cybercrime are botnets. Botnets have been in existence for many years, but their design frameworks have changed over time. We are now seeing a third generation of botnets that are targeting the users of online fi nancial services. This era of targeted attacks started with the rival Zeus and SpyEye botnets and is evolving. In this paper, we look at the design and working details of the Citadel botnet. Citadel, which is believed to have European origins, is a sophisticated descendent of the Zeus botnet. Our analysis provides insight into the design components of Citadel, including its system infection and data exfi ltration tactics.

[1]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[2]  Ravishankar Borgaonkar,et al.  An Analysis of the Asprox Botnet , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[3]  Christopher Krügel,et al.  Your botnet is my botnet: analysis of a botnet takeover , 2009, CCS.

[4]  Guanhua Yan,et al.  RatBot: Anti-enumeration Peer-to-Peer Botnets , 2011, ISC.

[5]  Jan Vykopal,et al.  Embedded Malware - An Analysis of the Chuck Norris Botnet , 2010, 2010 European Conference on Computer Network Defense.

[6]  Niels Provos,et al.  All Your iFRAMEs Point to Us , 2008, USENIX Security Symposium.

[7]  David Lee,et al.  Traceback Attacks in Cloud -- Pebbletrace Botnet , 2012, 2012 32nd International Conference on Distributed Computing Systems Workshops.

[8]  Vern Paxson,et al.  Measuring Pay-per-Install: The Commoditization of Malware Distribution , 2011, USENIX Security Symposium.

[9]  Richard J. Enbody,et al.  Dissecting SpyEye - Understanding the design of third generation botnets , 2013, Comput. Networks.

[10]  Felix C. Freiling,et al.  Walowdac - Analysis of a Peer-to-Peer Botnet , 2009, 2009 European Conference on Computer Network Defense.

[11]  Richard J. Enbody,et al.  Crimeware-as-a-service - A survey of commoditized crimeware in the underground market , 2013, Int. J. Crit. Infrastructure Prot..

[12]  Mourad Debbabi,et al.  Insights from the analysis of the Mariposa botnet , 2010, 2010 Fifth International Conference on Risks and Security of Internet and Systems (CRiSIS).