Page 2 of 20

Re: Citadel (Zeus clone)

Posted: Sat May 26, 2012 12:25 pm
by Xylitol
Fun

Code: Select all

00420CD8  |.  68 C0194000   PUSH 4019C0                              ; |Text = "Coded by BRIAN KREBS for personal use only. I love my job & wife."
two more C&C

Code: Select all

hxxp://inbani.com/js/res/cp.php?m=login
hxxp://inbani.com/js/res/theme/images/citadel.jpg
--
hxxp://lotosmusicfm.net/jstat/cp.php
hxxp://lotosmusicfm.net/jstat/theme/images/citadel.jpg
https://www.virustotal.com/file/6f6b5fe ... 338035569/

Re: Citadel (Zeus clone)

Posted: Tue May 29, 2012 10:03 pm
by obnoxiousdiablo
Hi Xylitol,

Thanks a lot for sharing this info. What is the file in the zip with 140K size? Is that the cfg downloaded?

Is it possible to share the packet dump you may have?

Thank you.

Regards,

Re: Citadel (Zeus clone)

Posted: Wed May 30, 2012 1:36 am
by obnoxiousdiablo
Never mind. I figured out it was encrypted cfg downloaded during your analysis. It is targeting mainly European banks at the moment. Will be great if you could post more citadel with cfg as they come along.

Much appreciated,

Re: Citadel (Zeus clone)

Posted: Mon Jun 11, 2012 6:24 am
by Evilcry

Re: Citadel (Zeus clone)

Posted: Tue Oct 16, 2012 12:58 pm
by Xylitol
Some files (php/exe) dumped from Citadel 1.3.4.5 server

Image
https://zeustracker.abuse.ch/monitor.ph ... orumin.net
There is also a bleeding life v2:

Code: Select all

hxxp://fastforumin.net:808/sp/statistics/login.php
Real gate:

Code: Select all

hxxp://5.9.62.149:50800/mainsession/gate.php
C&C:

Code: Select all

hxxp://5.9.62.149:50800/mainsession/cp.php
lulz:

Code: Select all

hxxp://5.9.62.149:50800/mainsession/install/
• [0] - Connecting to MySQL as 'joe'.
• [0] - Selecting DB 'joe_bot_db1'.
• [0] - Updating table 'botnet_list'.
• [0] - Creating table 'botnet_reports'.
• [0] - Updating table 'botnet_reports_120812'.
• [0] - Updating table 'botnet_reports_120813'.
• [0] - Updating table 'botnet_reports_120814'.
• [0] - Updating table 'botnet_reports_120815'.
• [0] - Updating table 'botnet_reports_120816'.
• [0] - Updating table 'botnet_reports_120817'.
• [0] - Updating table 'botnet_reports_120818'.
• [0] - Updating table 'botnet_reports_120819'.
• [0] - Updating table 'botnet_reports_120820'.
• [0] - Updating table 'botnet_reports_120821'.
• [0] - Updating table 'botnet_reports_120822'.
• [0] - Updating table 'botnet_reports_120823'.
• [0] - Updating table 'botnet_reports_120824'.
• [0] - Updating table 'botnet_reports_120825'.
• [0] - Updating table 'botnet_reports_120826'.
• [0] - Updating table 'botnet_reports_120827'.
• [0] - Updating table 'botnet_reports_120828'.
• [0] - Updating table 'botnet_reports_120829'.
• [0] - Updating table 'botnet_reports_120830'.
• [0] - Updating table 'botnet_reports_120831'.
• [0] - Updating table 'botnet_reports_120901'.
• [0] - Updating table 'botnet_reports_120902'.
• [0] - Updating table 'botnet_reports_120903'.
• [0] - Updating table 'botnet_reports_120904'.
• [0] - Updating table 'botnet_reports_120905'.
• [0] - Updating table 'botnet_reports_120906'.
• [0] - Updating table 'botnet_reports_120907'.
• [0] - Updating table 'botnet_reports_120908'.
• [0] - Updating table 'botnet_reports_120909'.
• [0] - Updating table 'botnet_reports_120910'.
• [0] - Updating table 'botnet_reports_120911'.
• [0] - Updating table 'botnet_reports_120912'.
• [0] - Updating table 'botnet_reports_120925'.
• [0] - Updating table 'botnet_reports_120926'.
• [0] - Updating table 'botnet_reports_120929'.
• [0] - Updating table 'botnet_reports_120930'.
• [0] - Updating table 'botnet_reports_121001'.
• [0] - Updating table 'botnet_reports_121002'.
• [0] - Updating table 'botnet_reports_121003'.
• [0] - Updating table 'botnet_reports_121004'.
• [0] - Updating table 'botnet_reports_121005'.
• [0] - Updating table 'botnet_reports_121006'.
• [0] - Updating table 'botnet_reports_121007'.
• [0] - Updating table 'botnet_reports_121011'.
• [0] - Updating table 'botnet_reports_121012'.
• [0] - Updating table 'botnet_reports_121013'.
• [0] - Updating table 'botnet_reports_121014'.
• [0] - Updating table 'botnet_reports_121015'.
• [0] - Updating table 'botnet_reports_121016'.
• [0] - Filling table 'ipv4toc'.
• [1] - Creating table 'ipv4toc'.
• [3] - Updating table 'cp_users'.
• [3] - Updating table 'botnet_scripts'.
• [3] - Updating table 'botnet_scripts_stat'.
• [3] - Updating table 'botnet_software_stat'.
• [3] - Updating table 'exe_updates'.
• [3] - Updating table 'exe_updates_crypter'.
• [3] - Updating table 'botnet_rep_domains'.
• [3] - Updating table 'botnet_rep_domainlogs'.
• [3] - Updating table 'accparse_rules'.
• [3] - Updating table 'accparse_accounts'.
• [3] - Updating table 'vnc_bot_connections'.
• [3] - Updating table 'botnet_rep_dedup'.
• [3] - Updating table 'jabber_messages'.
• [3] - Updating table 'botnet_rep_iframer'.
• [3] - Updating table 'botnet_rep_filehunter'.
• [3] - Updating table 'botnet_screenshots'.
• [3] - Updating table 'botnet_rep_favorites'.
• [3] - Updating table 'botnet_activity'.
• [3] - Creating folder '_reports102979970'.
• [3] - Writing config file
• [3] - Searching for the god particle...
• [3] - Creating folder 'system/data'.
• [3] - Creating folder 'public'.
-- Update complete! --

Re: Citadel (Zeus clone)

Posted: Fri Oct 19, 2012 2:33 am
by 360Tencent

Re: Citadel (Zeus clone)

Posted: Fri Oct 19, 2012 11:55 am
by Xylitol
Another sample in attach.

Code: Select all

Citadel C&C - hxxp://78.46.226.50/ajax/cp.php?m=login
401 - hxxp://78.46.226.50/1/
calc.exe exploit - hxxp://78.46.226.50/ajax/t/ - hxxp://78.46.226.50/ajax/t/chk.html - hxxp://78.46.226.50/ajax/t/calc.exe
log parser - hxxp://78.46.226.50/p/
pma - hxxp://78.46.226.50/phpmyadmin/setup/

Re: Citadel (Zeus clone)

Posted: Mon Oct 22, 2012 10:57 pm
by Xylitol
Leaked version of summer edition in attach (1.3.4.5)
https://www.virustotal.com/file/1a2e85e ... 350946598/

Re: Citadel (Zeus clone)

Posted: Fri Oct 26, 2012 3:09 pm
by freezhh
index.php is 0 bytes?

Re: Citadel (Zeus clone)

Posted: Fri Oct 26, 2012 3:12 pm
by Xylitol
to hide directory index because citadel guys don't know about Options -Indexes :p