Terrific software and support ... for criminal botnet builders

Shadowy vendor of botnet construction kits based on Citadel Trojan provides platform with customer service that commercial software companies could learn from

There's a new development platform on the market, and it boasts outstanding developer support.

The platform's all open source. There's a built-in developer message board, with threaded conversations and social networking features. The manufacturer not only responds to bug reports and feature suggestions, it assigns tracking numbers and, in the spirit of open source, accepts solutions both from the company's developers and from customers. The manufacturer puts new features up for a vote, implementing the ones that most developers want. The board's active, the manufacturer's responsive, and the product's reasonably stable and by all accounts quite profitable. There's even a user's manual, release notes, and a license agreement, all in Russian.

Welcome to Citadel. Botnet construction kits done right. SaaS techniques in the underground.

Brian Krebs broke the story on Jan. 23, and as reported by InfoWorld last week, Seculert said it first saw the botnet on Dec. 17, 2011. Since then, 20 Citadel botnets have been identified -- in other words, at least 20 people acquired the Citadel construction package and put it to use -- and they've tracked more than 100,000 infected PCs. Seculert has identified at least five versions of the Citadel package.

You too can buy a copy and join one of the fastest-growing developer cliques on the planet. Total cost is $2,399, plus $125 per month. Citadel is based on the Zeus source code, which was widely distributed in May 2011. Unlike Zeus, when you buy Citadel you get the entire ecosystem along with it, including access to the forums. Think SaaS, where the value-add isn't the software but the infrastructure around it. Per Krebs, the creators boast in their sales literature:

We have created for you a special system -- call it the social network for our customers. Citadel CRM Store allows you to take part in product development in the following ways:

* Report bugs and other errors in software. All tickets are looked at by technical support; you will receive a timely response to your questions. No more trying to reach the author via ICQ or Jabber.

* Each client has the right to create an unlimited number of applications within the system. Requests can contain suggestions on a new module or improvements of existing module. Such requests can be public or private.

* Each client has a right to vote on new ideas suggested by other members and offer his or her price for development of the enhancement or module. The decision is made by the developers on whether to go forward with certain enhancement or new module, depending on the voting results.

* Each client has the right to comment on any application and talk to any member. Now it is going to be interesting for you to find partners and like-minded people and also to take active parts in discussions with the developers.

* You can see all stages of module development, if it is approved other members. We update the status and time to completion.

* You may pay a deposit, if module is approved (via a 50 percent vote). After the deposit is paid by the members, the project starts moving forward, so that the money is paid directly to coders and there will be no laziness or inaction. Everything is clear: Every stage of development is thoroughly shown.

Seculert's statistics show that the largest number of infected machines are in Italy, with the United States second. There are relatively few infected machines in Russia. If the infection routines detect a Russian- or Ukrainian-language keyboard, they shut down.

Although some news sources insist on calling Citadel a "banking" Trojan, I see no indication that Citadel is focused on the banking industry or on stealing banking information. Rather, just like Zeus, it's an omnivorous beast capable of stealing a wide range of data. The person who purchases a copy can tailor it to monitor keystrokes, look for files, even record screen activity as a video and send it to the command-and-control server.

We're going to be hearing a lot more about Citadel in the months to come. SaaS is a powerful concept, even among black hats.

This story, "Terrific software and support ... for criminal botnet builders," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Mobile Security Insider: iOS vs. Android vs. BlackBerry vs. Windows Phone
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies