Hackers News:Citadel’s Defenses Breached Trojan

On June 5, Microsoft announced that they had worked together with members of the financial services industry and the FBI to disrupt the operations of a banking Trojan horse program called Citadel. The takedown operation resulted in over 1,000 Citadel botnets being taken offline.

Citadel is a banking Trojan that has been in existence since 2011. As with most banking Trojans, Citadel is a full crimeware kit, providing the attackers with payload builders, a command and control (C&C) server infrastructure, and configuration scripts to target various banks. Citadel is a descendant of that other behemoth of the financial Trojan world, Trojan.Zbot (Zeus). It came into existence after the Zeus source code was leaked in 2011, with criminal groups taking that code and enhancing it.

Figure 1. The Citadel Trojan interface

Citadel is aimed at a more "exclusive" attacker market than its more widespread predecessor, Zeus. The Citadel kit is sold through underground Russian forums and typically costs around $3,000, compared to $100 for the SpyEye and leaked Zeus kits. Citadel users will also have to fork out a further $30-$100 to purchase Web inject code for the banks that they wish to target. Additionally, even if attackers have that money to spend, there is a strict vetting process with referrals required for new purchasers.

Citadel infections have spread around the globe, but in the past six months the majority of infections have been in Australia, Italy and the US.

Figure 2. Citadel infections from January to June 2013

Symantec welcomes news of the takedown of these Citadel botnets. While these takedowns may not eliminate the threat of Citadel completely, it certainly disrupts current campaigns and sends out a clear message to attackers that their actions are being monitored. Symantec also welcomes the cooperation between the public and private sector in taking action against this threat.

For more information about the world of financial Trojans, read our whitepaper. Symantec's current antivirus and intrusion prevention signatures provide protection against Citadel infections.

 

Security

Microsoft and FBI Tackle Citadel Banking Trojan

Microsoft is better known as a software provider than as an international crime-fighter, but its recent operations against Russian cybercriminals may change some minds.
In a joint operation with the FBI, Microsoft yesterday (June 5) took down more than 1,000 botnets controlled by the Citadel banking Trojan.
Citadel is a particularly nasty banking Trojan that has targeted customers of major financial institutions, including Citigroup, JPMorgan Chase and Bank of America, among others.
Over the last year and a half, Citadel has cost the banks, which must reimburse losses from consumer accounts, more than $500 million, according to Reuters. (Commercial bank accounts are not always reimbursed, and many small businesses have lost millions.)

Banking Trojans operate by infecting Web browsers, often via a "drive-by download" from a corrupted website, although Microsoft said pirated copies of Windows were also used in this case.
A banking Trojan will lie dormant until the infected browser accesses an online bank account, at which point the Trojan captures the login information and passes it to a human controller, typically in Eastern Europe.
After being infected by Citadel malware, computers also often get drafted into a botnet.
Botnets allow criminals to leverage remote computers for spam attacks and malware distribution; they also provide criminals with the means to steal financial information and fill their own coffers.
To spearhead its counterattack, Microsoft filed a civil lawsuit in North Carolina yesterday against an online criminal known only as "Aquabox," as well as 81 other unnamed conspirators.
The lawsuit, in all likelihood, will not accomplish much, since Aquabox is unlikely to show up in his own defense.
Furthermore, Aquabox is probably located in Russia or Ukraine. To this end, Microsoft filed the suit in both English and Russian.
A bank hacker could operate from anywhere in the world, but Citadel's targets are telling. The malware has stolen from companies all across North America, Europe, Asia and Australia, but has bypassed Russian and Ukrainian institutions. It's assumed by Western experts that Russian police will mostly ignore domestic cybercriminals who attack only foreign targets.
Microsoft and the FBI collaborated in a venture called "Operation b54," which successfully took down 1,000 of Citadel's 1,400 botnets by seizing command-and-control servers worldwide,
About 455 of the seized servers were in the U.S. Russian cybercriminals often use assumed names to rent server space from American hosting companies.
While the Citadel operation will recover, Richard Boscovich of the Microsoft Digital Crimes Unit points out that Operation b54 has bought infected users time to repair their systems.
"Citadel blocked victims' access to many legitimate anti-virus/anti-malware sites, making it so people may not have been able to easily remove this threat from their computer," Boscovich wrote in an official Microsoft blog posting.
Now that users can remove the harmful software from their machines, Citadel's convalescence may prove slow and anemic. [See also: America's Top 10 Least Secure Cities]
Since cybercrime happens across international borders, Boscovich also hopes that Operation b54 will set the tenor for future counterattacks.
"Operation b54 serves as a real world example of how public-private cooperation can work effectively within the judicial system, and how 20th century legal precedent and common law principles dating back hundreds of years can be effectively applied toward 21st century cybersecurity issues," Boscovich wrote.
This is not the first time Microsoft has tackled cybercriminal botnets.
In March 2012, Microsoft brought down 800 botnets created by the Zeus banking Trojan but under the control of different criminal groups.
Whereas Zeus is used by many different criminal groups, Citadel is used by only one. Because of that, Microsoft and the FBI may be able to figure out Aquabox's identity and put a stop to Citadel once and for all.
Cybercrime is generally profitable because it's easy to do and hard to get caught, but if Operation b54 is any indication, that could change soon.

How To Remove Citadel Malware Reveton Ransomware

(Fake IC3, FBI Malware)

Citadel Malware Reveton Ransomware?

Citadel Malware is a group which produces and supplies malware as well as a name for malware distributed by cyber criminals for public use. Reveton is ransomware malware created by Citadel Malware that is designed for the sole purpose of extorting money from unsuspecting online victims using credit schemes.

Similar ransomware includes the FBI Moneypak Virus (FBI Virus) and the Police Central e-crime Unit Virus.

Reveton ransomware is also known as Trojan:W32/Reveton.

 

What makes Citadel Reveton malware and “ransomware” unique is that it locks computer systems and lures victims to a drive by download site appearing like the FBI or Internet Complaint Center (IC3.gov) with a message that alleges the victims IP address was identified by the Computer Crime & Intellectual Property Section (FBI) as visiting child pornography and other illegal content. To unlock their computer, victims are instructed to pay a $100 fine (or more) to the US Department of Justice, using prepaid money card services (Green Dot Moneypak) which are compiled based upon the victims IP geo location. (Meaning the malware will look up which payment platform properly suites the computer, as well as fraudulent authority organizaion) This is where the term “ransomware” derives from, as ransomware is malware which prevents users from accessing their computer unless a penalty fine is paid.

That is not the only issue with Reveton Ransomware. Reveon Ransomware also downloads to computer systems and hides, waiting for credit systems to be initiated to steal private credit information and numbers. Reveon Ransomware is used in a lot of credit card schemes to extort money.

Reveton ransomware symptoms

1. Desktop and operating system locks up
2. Fraudulent authority message appears with a fraudulent claim
3. Internet redirects to a fake FBI or Internet Complaint Center (IC3) page and demands a payment to unlock your computer sytem (online complaint bureau depends on user IP location)

How to remove Citadel Malware Reveton Ransomware

There are many ways to remove Citadel ransomware depending on the progression of the parasite. If you can access the internet while infected it is suggested to proceed to option 1 and install the free version of Malwarebytes to scan and remove the ransomware virus from your computer. If you know your way around Window’s OS, it is suggested to chose the manual removal option (option 2). For other issues a solution to remove Reveton is to restore your computer to a date and time before infection (option 3).
For additional removal steps and symptoms please check out the FBI Moneypak removal steps.

1. Malware Removal Sofware

Malwarebytes offers a free and paid version. The free version has been publicly documented to remove Citadel’s malware and the paid version will ensure that ransomware infections will never happen to your system again.

Remove Malware

2. Manual Removal Instructions

The hardest of the manual removal process part is finding the appropriate dll file to remove. Citadel’s malware is mass distributed (we all could go acquire it right now online for free if we wanted) and because of this the exact dll. file for Reveton ransomware can be hard to locate.

Windows command

Access Windows start menu

Type: cmd (or c:\windows\system32\cmd.exe) and press enter to run program

In the command prompt displayed, type in one of the following commands below and press Enter, depending on your operating system:
Windows XP: cd %USERPROFILE%\Start Menu\Programs\Startup
Windows 7:  cd %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

From the same command prompt type: del *.dll.lnk and press Enter

Reboot or restart your machine to complete, then move to the step below.

Remove the .dll file

Upon execution, Reveton malware will create the following which must be removed:
Search and remove the .dll file. If you can not find the correct file (which can be tricky) malware removal is strongly suggested.
<reveton_filename> can be a sequence of random letters and numbers.

• On Windows XP
  %USERPROFILE%\Start Menu\Programs\Startup\<reveton_filename>.dll.lnk
• On Windows 7
  %USERPROFILE%\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\<reveton_filename>dll.lnk

Other manual removal options

These following removal steps are taken from the FBI Moneypak virus removal instructions essentially the same virus, just different progressions for geographic locations).
1. Open Windows Start Menu and type %appdata% into the search field, press Enter.

2. Navigate to: Microsoft\Windows\Start Menu\Programs\Startup

3. Remove ctfmon (ctfmon.lnk if in dos) – this is what’s calling the virus on startup
4. Open Windows Start Menu and type %userprofile% into the search field and press enter.

5. Navigate to: Appdata\Local\Temp
6. Remove rool0_pk.exe
7.Remove [random].mof file
8. Remove V.class
The virus can have names other than “rool0_pk.exe” but it should appear similar, there may also be 2 files, 1 being a .mof. Removing the .exe file will fix FBI Moneypak. The class file uses a java vulnerability to install the virus, removal of V.class is done for safe measure.

All FBI Moneypak files:

The files listed above are what causes FBI Moneypak to function. To ensure FBI Moneypak is completely removed via manually, please delete all given files. Keep in mind, [random] can be any sequence of numbers or letters.

%Documents and Settings%\[UserName]\Desktop\[random].lnk
%Program Files%\FBI Moneypak Virus
%AppData%\Protector-[rnd].exe
%AppData%\Inspector-[rnd].exe
%Windows%\system32\[random].exe
%appdata%\[random].exe
%Documents and Settings%\[UserName]\Application Data\[random].exe
%UserProfile%\Desktop\FBI Moneypak Virus.lnk
%Documents and Settings%\All Users\Application Data\FBI Moneypak Virus
%AppData%\result.db
%CommonStartMenu%\Programs\FBI Moneypak Virus.lnk

Kill ROGUE_NAME processes:
Access Windows Task Manager (Ctrl+Alt+Delete) and kill the rogue process. Please note the infection will have a random name for the process [random] which may contain a sequence of numbers and letters (ie: USYHEY347H372.exe).

[random].exe

Remove Registry Values

To access Window’s Registry Editor type regedit into the Windows Start Menu text field and press Enter.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\[random].exe
HKEY_LOCAL_MACHINE\SOFTWARE\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegistryTools’ = 0
HKEY_LOCAL_MACHINE \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system ‘EnableLUA’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Internet Settings ‘WarnOnHTTPSToHTTPRedirect’ = 0
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableRegedit’= 0
HKEY_CURRENT_USER\Software\FBI Moneypak Virus
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run ‘Inspector’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\FBI Moneypak Virus
HKEY_CURRENT_USER \Software\Microsoft\Windows\CurrentVersion\Policies\System ‘DisableTaskMgr’ = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0 HKEY_CURRENT_USER\

Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0 HKEY_LOCAL_MACHINE\

SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0 HKEY_LOCAL_MACHINE\SOFTWARE\

Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0

3. System Restore

Start Menu Restore

Standard directions to quickly access Window’s System Restore Wizard (rstrui).
1. Access windows Start menu and click All Programs.
2. Click and open Accessories, click System Tools, and then click System Restore.‌
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Restore your computer to a date and time before infection.

Safe Mode With Command Prompt Restore

If you can not access your operating system, this is the suggested step.
1. Restart/reboot your computer system. Unplug if necessary.
2. Enter your computer in “safe mode with command prompt”. To properly enter safe mode,repeatedly pressF8 upon the opening of the boot menu.

3. Once the Command Prompt appears you only have few seconds to type “explorer” and hit Enter. If you fail to do so within 2-3 seconds, the FBI MoneyPak ransomware virus will not allow you to type anymore.

4. Once Windows Explorer shows up browse to:

• Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
• Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter

5. Follow all steps to restore or recover your computer system to an earlier time and date, before infection to complete.

More information on Window’s system restore: http://botcrawl.com/how-to-restore-microsoft-windows-vista-microsoft-windows-xp-and-microsoft-windows-7/
http://windows.microsoft.com/en-US/windows-vista/System-Restore-frequently-asked-questions

Multiple ransomware attacks .gif

Here is an example of what multiple ransomware attacks look like in different countries.

Data Source Provided From : From Norton Blog , tech news daily And botcrawl
 
By:  
Kosulla India Ltd - Bhupesh Kumar Mandal   
(kosullaindialtd.blogspot.com)