Login | Register

On the Reverse Engineering of the Citadel Botnet


On the Reverse Engineering of the Citadel Botnet

Rahimian, Ashkan, Ziarati, Raha, Preda, Stere and Debbabi, Mourad (2014) On the Reverse Engineering of the Citadel Botnet. In: Foundations and Practice of Security. Lecture Notes in Computer Science, 8352 . Springer International Publishing, pp. 408-425. ISBN 978-3-319-05302-8

[thumbnail of Final draft post-refereeing]
Text (Final draft post-refereeing) (application/pdf)
RE_Citadel_Botnet.pdf - Accepted Version
Available under License Spectrum Terms of Access.

Official URL: http://link.springer.com/book/10.1007/978-3-319-05...


Citadel is an advanced information stealing malware that targets financial information. This malware poses a real threat against the confidentiality and integrity of personal and business data. Recently, a joint operation has been conducted by FBI and Microsoft Digital Crimes Unit in order to take down Citadel command-and-control servers. The operation caused some disruption in the botnet but has not stopped it completely. Due to the complex structure and advanced anti-reverse engineering techniques, the Citadel malware analysis process is challenging and time-consuming. This allows cyber criminals to carry on with their attacks while the analysis is still in progress. In this paper, we present the results of the Citadel reverse engineering and provide additional insights into the functionality, inner workings, and open source components of the malware. In order to accelerate the reverse engineering process, we propose a clone-based analysis methodology. Citadel is an offspring of a previously analyzed malware called Zeus. Thus, using the former as a reference, we can measure and quantify the similarities and differences of the new variant. Two types of code analysis techniques are provided in the methodology namely assembly to source code matching, and binary clone detection. The methodology can help reduce the number of functions that should be analyzed manually. The analysis results prove that the approach is promising in Citadel malware analysis. Furthermore, the same approach is applicable to similar malware analysis scenarios.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science
Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Concordia University > Research Units > Computer Security Laboratory
Item Type:Book Section
Authors:Rahimian, Ashkan and Ziarati, Raha and Preda, Stere and Debbabi, Mourad
Series Name:Lecture Notes in Computer Science
  • Malware Analysis
  • Cyber Forensics
  • CIISE, Concordia University
Keywords:Reverse Engineering, Malware Analysis, Clone Detection, Botnet Takedown, Incident Response, Zeus Botnet Variant, Static Analysis, Dynamic Analysis
ID Code:978699
Deposited On:19 Jun 2014 19:11
Last Modified:18 Jan 2018 17:47


1. M. Sikorski and A. Honig, Practical Malware Analysis, The Hands-On Guide to Dissecting Malicious Software, San Francisco: No Starch Press, 2012.

2. J. Seitz, Gray Hat Python: Python Programming for Hackers and Reverse Engineers, San Francisco: No Starch Press, 2009.

3. Malware Forensics Field Guide for Windows Systems: Digital Forensics Field Guides, Waltham: Syngress, 2012.

4. C. Eagle, The IDA Pro book : The Unofficial Guide to the World’s Most Popular Disassembler, San Francisco: No Starch Press, 2011.

5. A. Singh, Identifying Malicious Code Through Reverse Engineering (Advances in Information Security), New York: Springer, 2009.

6. H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi and L. Wang, “On the Analysis of the Zeus Botnet Crimeware Toolkit,” in Int’l Conference on Privacy Security and Trust (PST), Ottawa, 2010.

7. A. Rahimian, P. Charland, S. Preda and M. Debbabi, “RESource: A Framework for Online Matching of Assembly with Open Source Code,” in Int’l Conference on Foundations and Practice of Security (FPS), Montreal, 2012.

8. P. Charland and B. C. M. Fung and M. R. Farhadi, “Clone Search for Malicious Code Correlation,” in NATO RTO Symposium on Information Assurance and Cyber Defense (IST-111), Koblenz, 2012.

9. A. Saebjornsen, J. Willcock, T. Panas, D. Quinlan and Z. Su, “Detecting Code Clones in Binary Executables”, in Int’l Symposium on Software Testing and Analysis (ISSTA), Chicago, 2009.

10. R. Sherstobitoff, “Inside the World of the Citadel Trojan,” McAfee, 2013.

11. AnhLab ASEC, “Malware Analysis: Citadel,” December 2012. [Online]. Available: http://seifreed.es/docs/Citadel Troja Report_eng.pdf. [Accessed May 2013].

12. J. Wyke, “The Citadel Crimeware Kit - Under the Microscope,” December 2012. [Online]. Available: http://nakedsecurity.sophos.com/2012/12/05/the-citadel-crimeware-kit-under-the-microscope/. [Accessed May 2013].

13. CERT Polska, “Takedown of the plitfi Citadel botnet,” April 2013. [Online]. Available: http://www.cert.pl/PDF/Report_Citadel_plitfi_EN.pdf. [Accessed May 2013].

14. Microsoft Digital Crimes Unit, “Microsoft, financial services and others join forces to combat massive cybercrime ring,” June 2013. [Online]. Available: http://www.microsoft.com/en-us/news/Press/2013/Jun13/06-05DCUPR.aspx. [Accessed June 2013].

15. J. Vincent, “$500 million botnet Citadel attacked by Microsoft and the FBI: Joint operation identified more than 1000 botnets, but operations continue,” June 2013. [Online]. Available: http://www.independent.co.uk/life-style/gadgets-and-tech/news/500-million-botnet-citadel-attacked-by-microsoft-and-the-fbi-8647594.html. [Accessed June 2013].

16. “List of Domain Names by Registry (Citadel),” June 2013. [Online]. Available: http://botnetlegalnotice.com/citadel/files/Compl_App_A.pdf.

17. J. Milletary, “Citadel Trojan Malware Analysis,” Dell SecureWorks, 2012.

18. “Immunity Debugger: The Best of Both Worlds,” Immunity, 2013. [Online]. Available: http://www.immunityinc.com/products-immdbg.shtml.

19. “IDA Pro: Multi-processor Disassembler and Debugger,” Hex-Rays, 2013. [Online]. Available: https://www.hex-rays.com/products/ida/debugger/index.shtml.

20. “The Volatility Framework: Volatile Memory (RAM) Artifact Extraction Utility Framework,” Volatile Systems, 2013. [Online]. Available: https://www.volatilesystems.com/default/volatility.

21. G. Bonfante, J. Marion, F. Sabatier and A. Thierry, “Code Synchronization by Morphological Analysis”, in Int’l Conference on Malicious and Unwanted Software (MALWARE), Washington, 2012.
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top