[LINK] Trojan with a Trouble-Ticket System
Kim Holburn
kim at holburn.net
Tue Jan 24 16:47:13 AEDT 2012
Botnet trojans as commercial software with normal guarantees.
Note that last para:
> if the malware detects that the victim's machine is using a Russian or Ukrainian keyboard, it will shut itself down.
https://krebsonsecurity.com/2012/01/citadel-trojan-touts-trouble-ticket-system/
> In the following excerpt, taken from a full description of Citadel's innovations, the developers of this malware strain describe its defining feature as a social networking platform for malware users that is made available through a Web-based portal created by the malware itself.
>
> "We have created for you a special system — call it the social network for our customers. Citadel CRM Store allows you to take part in product development in the following ways:
>
> - Report bugs and other errors in software. All tickets are looked at by technical support you will receive a timely response to your questions. No more trying to reach the author via ICQ or Jabber.
....
> The basic Citadel package — a bot builder and botnet administration panel — retails for $2,399 + a $125 monthly "rent," but some of its most innovative features are sold as a la carte add-ons. Among those is a $395 software module that allows botmasters to sign up for a service which automatically updates the bot malware to evade the last antivirus signatures. The updates are deployed via a separate Jabber instant message bot, and each update costs an extra $15.
>
> Citadel also boasts a feature that hints at its creator's location(s). According to the authors, if the malware detects that the victim's machine is using a Russian or Ukrainian keyboard, it will shut itself down. This feature is almost certainly a hedge to keep the developers out of trouble: Authorities in those regions are far less likely to pursue the Trojan's creators if there are no local victims.
--
Kim Holburn
IT Network & Security Consultant
T: +61 2 61402408 M: +61 404072753
mailto:kim at holburn.net aim://kimholburn
skype://kholburn - PGP Public Key on request
More information about the Link
mailing list