Abstract
Citadel is an advanced information stealing malware that targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. Recently, a joint operation has been conducted by FBI and Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insights into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus. Thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology namely assembly to source code matching, and binary clone detection. The methodology can help reduce the number of functions that should be analyzed manually. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Sikorski, M., Honig, A.: Practical Malware Analysis, The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco (2012)
Seitz, J.: Gray Hat Python: Python Programming for Hackers and Reverse Engineers. No Starch Press, San Francisco (2009)
Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides. Waltham: Syngress (2012)
Eagle, C.: The IDA Pro book : The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, San Francisco (2011)
Singh, A.: Identifying Malicious Code Through Reverse Engineering (Advances in Information Security). Springer, New York (2009)
Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the zeus botnet crimeware toolkit. In: International Conference on Privacy Security and Trust (PST), Ottawa (2010)
Rahimian, A., Charland, P., Preda, S., Debbabi, M.: RESource: a framework for online matching of assembly with open source code. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds.) FPS 2012. LNCS, vol. 7743, pp. 211–226. Springer, Heidelberg (2013)
Charland, P., Fung, B.C.M., Farhadi, M. R.: Clone search for malicious code correlation. In: ATO RTO Symposium on Information Assurance and Cyber Defense (IST-111), Koblenz (2012)
Saebjornsen, A., Willcock, J., Panas, T., Quinlan, D., Su, Z.: Detecting code clones in binary executables. In: International Symposium on Software Testing and Analysis (ISSTA), Chicago (2009)
Sherstobitoff, R.: Inside the World of the Citadel Trojan. McAfee (2013)
AnhLab ASEC: Malware Analysis: Citadel. http://seifreed.es/docs/Citadel%20Troja%20Report_eng.pdf (December 2012). Accessed May 2013
Wyke, J.: The Citadel Crimeware Kit - Under the Microscope. http://nakedsecurity.sophos.com/2012/12/05/the-citadel-crimeware-kit-under-the-microscope/ (December 2012). Accessed May 2013
CERT Polska: Takedown of the plitfi Citadel botnet. www.cert.pl/PDF/Report_Citadel_plitfi_EN.pdf (April 2013). Accessed May 2013
Microsoft Digital Crimes Unit: Microsoft, financial services and others join forces to combat massive cybercrime ring. http://www.microsoft.com/en-us/news/Press/2013/Jun13/06-05DCUPR.aspx (June 2013). Accessed June 2013
Vincent, J.: \({\$}500\) million botnet Citadel attacked by Microsoft and the FBI: Joint operation identified more than 1000 botnets, but operations continue. http://www.independent.co.uk/life-style/gadgets-and-tech/news/500-million-botnet-citadel-attacked-by-microsoft-and-the-fbi-8647594.html (June 2013). Accessed June 2013
List of Domain Names by Registry (Citadel). http://botnetlegalnotice.com/citadel/files/Compl_App_A.pdf (June 2013)
Milletary, J.: Citadel Trojan Malware Analysis. Dell SecureWorks (2012)
Immunity Debugger: The Best of Both Worlds, Immunity. http://www.immunityinc.com/products-immdbg.shtml (2013)
IDA Pro: Multi-processor Disassembler and Debugger, Hex-Rays. https://www.hex-rays.com/products/ida/debugger/index.shtml (2013)
The Volatility Framework: Volatile Memory (RAM) Artifact Extraction Utility Framework, Volatile Systems. https://www.volatilesystems.com/default/volatility (2013)
Bonfante, G., Marion, J., Sabatier, F., Thierry, A.: Code Synchronization by morphological analysis. In: International Conference on Malicious and Unwanted Software (MALWARE), Washington (2012)
Acknowledgments
The authors would like to thank ESET Canada for their collaboration and acknowledge the support of Mr. Pierre-Marc Bureau and the guidance provided by Mr. Marc-Etienne Leveille on de-obfuscation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendix
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Rahimian, A., Ziarati, R., Preda, S., Debbabi, M. (2014). On the Reverse Engineering of the Citadel Botnet. In: Danger, J., Debbabi, M., Marion, JY., Garcia-Alfaro, J., Zincir Heywood, N. (eds) Foundations and Practice of Security. FPS 2013. Lecture Notes in Computer Science(), vol 8352. Springer, Cham. https://doi.org/10.1007/978-3-319-05302-8_25
Download citation
DOI: https://doi.org/10.1007/978-3-319-05302-8_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-05301-1
Online ISBN: 978-3-319-05302-8
eBook Packages: Computer ScienceComputer Science (R0)