We have detected new Citadel malware activity, again coming from within large, some Dutch, organizations.
These Citadel Trojans are not part of the Pobelka botnet (Dutch) that we discovered last year on September 7, 2012.
From the data we have gathered so far, we believe this new campaign is running since late November 2012.
To help out the Dutch industry, organizations and government we decided to publish (and regularly update) a list of web addresses that are associated with some of the more prevalent Citadel strains. Note that blocking the IP addresses associated with the domains on this page has only limited effect because the cybercriminals are swapping IP addresses every few days. Also note that the real command and control server is buried behind reverse proxies running on compromised computers owned by people who are likely not aware of this.
We have also noticed that the renowned anti-virus solutions deployed inside some of the affected organizations are no match for the new Citadel variants due to the stealthy nature of Citadel. The Citadel infections that we found were already active for nearly three weeks, and during that time these computers were protected by the up-to-date anti-virus solutions. Detecting malware traffic on the firewall or IDS is a good way to reveal affected workstations inside the network where anti-virus solutions are not yet detecting the threats.
Monitor the following following IP addresses and domains in the IDS or firewall on the perimeter of your network:
If you have affected systems on your network, be aware of these facts:
Since HitmanPro does not rely on virus signatures it is unlike other anti-virus programs.
You can use it to find and remove any malware infection from the affected machines, like viruses, worms, trojans, spyware, bootkits, rootkits and zero-day malware, including Zeus, Zbot or Citadel Trojans.
Instructions on how to perform FREE second opinion malware scans with HitmanPro can be found in the following document:
This documents contains example scripts on how to integrate HitmanPro into a Windows 2003, 2008 and/or LabTech managed environment.
Published: February 15, 2013. Updated: February 20, 2013 (16:50 CEST). Mark Loman.