On the Reverse Engineering of the Citadel Botnet

TL;DR

This paper details the reverse engineering of the Citadel botnet malware, revealing its functionality and inner workings, and introduces a clone-based analysis method to improve efficiency and applicability to similar malware.

Contribution

The paper presents a novel clone-based analysis methodology that leverages similarities with previous malware for faster reverse engineering of Citadel.

Findings

The clone-based approach effectively reduces manual analysis effort.

Analysis shows significant similarities between Citadel and Zeus malware.

Method is applicable to other malware reverse engineering scenarios.

Abstract

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.