A few weeks ago, Brian Krebs reported on Citadel, a new variant of the Zeus Trojan.
Citadel creators decided to provide this new variant in a Software-as-a-Service (SaaS) model, which seems to be a rising trend in the cybercrime ecosystem.
The developers did not stop there. They created a social network that enables the customers of Citadel (other cybercriminals) to suggest new features and modules to the malware, report bugs and other errors in the system, comment and discuss related issues with fellow customers. This CRM (Customer Relationship Management) platform has explosive potential, as it harnesses the accumulative knowledge and resources of its cyber community.
Based on the fact that the Zeus source-code went public in 2011, the Citadel community indeed became active, and started contributing new modules and features. This recent development may be an indication of a trend in malware evolution – an open-source malware.
We have previously discussed trends in malware evolution, where the sophistication level is continuously rising, especially on the server side, as malware kits have become the mainstream among cybercriminals.
Open-source malware evolves faster
Seculert’s Research Lab discovered the first indication of a Citadel botnet on December 17th, 2011. The level of adoption and development of Citadel is rapidly growing, and since then Seculert has identified over 20 different Citadel botnets (See figures 1 and 2 for statistics), using the following different versions of the malware:
Each version added new modules and features, some of which were submitted by the Citadel customers themselves, including:
Similar to legitimate software companies, the Citadel authors provide their customers with a User Manual, Release Notes and a License Agreement (see Figures 3 and 4).
Following this recent embracement of trends from the legitimate business world, we suspect that the open-source model may be the next growing trend. The cybercrime world is characterized by rapid development, cutting-edge technology, and hackers’ constant cravings for recognition. By looking at the developments in the software world, the open-source model may be well accepted in the cybercrime ecosystem as well.