Citadel malware active on 20,000 PCs in Japan, says Trend Micro

Citadel malware is installed on over 20,000 PCs in Japan and actively sending financial information it harvests to servers abroad, according to security software vendor Trend Micro.

Tokyo-based Trend Micro said it monitored remote servers in the U.S. and Europe that collect data gathered by Japanese versions of the malware for six days last week. On some days there were nearly 230,000 connections made from 20,000 infected computers.

The malware has been designed specifically to target domestic users, collecting financial details corresponding to six Japanese financial institutions as well as popular services such as email from Google, Yahoo and Microsoft.

“Damage from this tool for online banking fraud is still continuing today,” Trend Micro said in a Japanese security blog.

The security firm said it detect IP addresses from at least nine remote servers that are being contacted regularly by copies of Citadel on infected computers. It said over 96 percent of the contact comes from PCs in Japan.

A tricky bug

Citadel is malware that can modify or replace websites opened on the computers it infects. It then collects log-in details and other private information and sends it to remote servers. Some varieties also block access to anti-virus sites to prevent users from cleaning their computers.

The software allows malicious users to create networks, or botnets, of infected PCs that harvest details and send them to remote servers. It can be customized to mimic specific sites in different countries.

Last month Microsoft and the U.S. Federal Bureau of Investigation worked together to disrupt 1,400 Citadel botnets that the company said were responsible for over half a billion dollars in financial losses worldwide.

The action disrupted many existing Citadel botnets, but anyone with a builder application can create customized versions and launch an operation of their own.

Highly-customized versions of the malware, with detailed content localization and advanced techniques to corrupt browser software, have also popped up across Europe since the Microsoft action.

Subscribe to the Security Watch Newsletter

Comments