Skip to main content
SpringerLink
Log in

On the Reverse Engineering of the Citadel Botnet

  • Conference paper
  • First Online:
Foundations and Practice of Security (FPS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8352))

Included in the following conference series:

Abstract

Citadel is an advanced information stealing malware that targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. Recently, a joint operation has been conducted by FBI and Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insights into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus. Thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology namely assembly to source code matching, and binary clone detection. The methodology can help reduce the number of functions that should be analyzed manually. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Sikorski, M., Honig, A.: Practical Malware Analysis, The Hands-On Guide to Dissecting Malicious Software. No Starch Press, San Francisco (2012)

    Google Scholar 

  2. Seitz, J.: Gray Hat Python: Python Programming for Hackers and Reverse Engineers. No Starch Press, San Francisco (2009)

    Google Scholar 

  3. Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides. Waltham: Syngress (2012)

    Google Scholar 

  4. Eagle, C.: The IDA Pro book : The Unofficial Guide to the World’s Most Popular Disassembler. No Starch Press, San Francisco (2011)

    Google Scholar 

  5. Singh, A.: Identifying Malicious Code Through Reverse Engineering (Advances in Information Security). Springer, New York (2009)

    Google Scholar 

  6. Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M., Wang, L.: On the analysis of the zeus botnet crimeware toolkit. In: International Conference on Privacy Security and Trust (PST), Ottawa (2010)

    Google Scholar 

  7. Rahimian, A., Charland, P., Preda, S., Debbabi, M.: RESource: a framework for online matching of assembly with open source code. In: Garcia-Alfaro, J., Cuppens, F., Cuppens-Boulahia, N., Miri, A., Tawbi, N. (eds.) FPS 2012. LNCS, vol. 7743, pp. 211–226. Springer, Heidelberg (2013)

    Google Scholar 

  8. Charland, P., Fung, B.C.M., Farhadi, M. R.: Clone search for malicious code correlation. In: ATO RTO Symposium on Information Assurance and Cyber Defense (IST-111), Koblenz (2012)

    Google Scholar 

  9. Saebjornsen, A., Willcock, J., Panas, T., Quinlan, D., Su, Z.: Detecting code clones in binary executables. In: International Symposium on Software Testing and Analysis (ISSTA), Chicago (2009)

    Google Scholar 

  10. Sherstobitoff, R.: Inside the World of the Citadel Trojan. McAfee (2013)

    Google Scholar 

  11. AnhLab ASEC: Malware Analysis: Citadel. http://seifreed.es/docs/Citadel%20Troja%20Report_eng.pdf (December 2012). Accessed May 2013

  12. Wyke, J.: The Citadel Crimeware Kit - Under the Microscope. http://nakedsecurity.sophos.com/2012/12/05/the-citadel-crimeware-kit-under-the-microscope/ (December 2012). Accessed May 2013

  13. CERT Polska: Takedown of the plitfi Citadel botnet. www.cert.pl/PDF/Report_Citadel_plitfi_EN.pdf (April 2013). Accessed May 2013

  14. Microsoft Digital Crimes Unit: Microsoft, financial services and others join forces to combat massive cybercrime ring. http://www.microsoft.com/en-us/news/Press/2013/Jun13/06-05DCUPR.aspx (June 2013). Accessed June 2013

  15. Vincent, J.: \({\$}500\) million botnet Citadel attacked by Microsoft and the FBI: Joint operation identified more than 1000 botnets, but operations continue. http://www.independent.co.uk/life-style/gadgets-and-tech/news/500-million-botnet-citadel-attacked-by-microsoft-and-the-fbi-8647594.html (June 2013). Accessed June 2013

  16. List of Domain Names by Registry (Citadel). http://botnetlegalnotice.com/citadel/files/Compl_App_A.pdf (June 2013)

  17. Milletary, J.: Citadel Trojan Malware Analysis. Dell SecureWorks (2012)

    Google Scholar 

  18. Immunity Debugger: The Best of Both Worlds, Immunity. http://www.immunityinc.com/products-immdbg.shtml (2013)

  19. IDA Pro: Multi-processor Disassembler and Debugger, Hex-Rays. https://www.hex-rays.com/products/ida/debugger/index.shtml (2013)

  20. The Volatility Framework: Volatile Memory (RAM) Artifact Extraction Utility Framework, Volatile Systems. https://www.volatilesystems.com/default/volatility (2013)

  21. Bonfante, G., Marion, J., Sabatier, F., Thierry, A.: Code Synchronization by morphological analysis. In: International Conference on Malicious and Unwanted Software (MALWARE), Washington (2012)

    Google Scholar 

Download references

Acknowledgments

The authors would like to thank ESET Canada for their collaboration and acknowledge the support of Mr. Pierre-Marc Bureau and the guidance provided by Mr. Marc-Etienne Leveille on de-obfuscation.

Author information

Authors and Affiliations

  1. National Cyber-Forensics and Training Alliance CANADA, Concordia University Montreal, Quebec , H3G 1M8, Canada

    Ashkan Rahimian, Raha Ziarati, Stere Preda & Mourad Debbabi

Authors
  1. Ashkan Rahimian
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Raha Ziarati
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Stere Preda
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Mourad Debbabi
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ashkan Rahimian .

Editor information

Editors and Affiliations

  1. Dept. Commun. & Electronique, Télécom ParisTech, Paris, France

    Jean Luc Danger

  2. Concordia Institute for Information Syst Concordia University Research Chair Tier, Concordia University, Montreal, Québec, Canada

    Mourad Debbabi

  3. École des Mines, Nancy, France

    Jean-Yves Marion

  4. RST Department, Rm A105-2, Télécom SudParis, Evry, France

    Joaquin Garcia-Alfaro

  5. Dalhousie University, Halifax, Nova Scotia, Canada

    Nur Zincir Heywood

Appendix

Appendix

1.1 Example of Source Code Clones

See Fig. 10

Fig. 10.
figure 10

The output of RE-Source pointing to video capture source code

Full size image

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer International Publishing Switzerland

About this paper

Cite this paper

Rahimian, A., Ziarati, R., Preda, S., Debbabi, M. (2014). On the Reverse Engineering of the Citadel Botnet. In: Danger, J., Debbabi, M., Marion, JY., Garcia-Alfaro, J., Zincir Heywood, N. (eds) Foundations and Practice of Security. FPS 2013. Lecture Notes in Computer Science(), vol 8352. Springer, Cham. https://doi.org/10.1007/978-3-319-05302-8_25

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-05302-8_25

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-05301-1

  • Online ISBN: 978-3-319-05302-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation