On the Reverse Engineering of the Citadel Botnet

by   Ashkan Rahimian, et al.

Citadel is an advanced information-stealing malware which targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. A joint operation was recently conducted by the FBI and the Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is both challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insight into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus; thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology, namely assembly to source code matching and binary clone detection. The methodology can help reduce the number of functions requiring manual analysis. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.


page 5

page 7


Malware Sight-Seeing: Accelerating Reverse-Engineering via Point-of-Interest-Beacons

New types of malware are emerging at concerning rates. However, analyzin...

Evading Malware Analysis Using Reverse Execution

Malware is a security threat, and various means are adapted to detect an...

REMaQE – Reverse Engineering Math Equations from Executables

Cybersecurity attacks against industrial control systems and cyber-physi...

Malware Dynamic Analysis Evasion Techniques: A Survey

The Cyber world is plagued with ever-evolving malware that readily infil...

dewolf: Improving Decompilation by leveraging User Surveys

Analyzing third-party software such as malware or firmware is a crucial ...

ICSREF: A Framework for Automated Reverse Engineering of Industrial Control Systems Binaries

The security of Industrial Control Systems (ICS) has been attracting inc...

A Reverse Engineering Education Needs Analysis Survey

This paper presents the results of a needs analysis survey for Reverse E...

Please sign up or login with your details

Forgot password? Click here to reset