Citadel Trojan starts attacking Password Managers

It’s a discovery made by IBM’s Trusteer Researchers that cybercriminals are now using a new weapon to cause threat to your online security. In this new way of security breach, cybercriminals are using Citadel Trojan to compromise authentication solutions and password management.

 Citadel trojan

Generally the new-age applications ask for additional authentication apart from the password you have entered. These extra authentications are something hard to compromise; which includes digital signatures, software certifications and smart cards. These authentication solutions are powerful and often cannot be compromised. However, despite of these powerful solutions, security has been breached ever since cybercriminals have started using sophisticated malware such as Citadel Trojan to compromise these solutions and steal passwords.

About the discovery of the Citadel Trojan attacking the password managers, IBM says,

“Recently, IBM Trusteer researchers found a new configuration of Citadel that is being used to compromise password management and authentication solutions. It instructs the malware to start keylogging (capturing user keystrokes) when some processes are running.”

IBM talks about the Citadel Trojan,

“The Citadel Trojan is not new. It is a massively distributed malware that has already compromised millions of computers worldwide. Once Citadel installs on a machine, it opens communication channels with a command-and-control (C&C) server and registers with it. The malware then receives a configuration file that tells it how it should operate, which targets what to look for, what type of information to capture, which functions to enable and even provides information about alternative C&Cs that allow the attackers to take down an exposed C&C and still operate the malware from a new C&C. As long as the malware is communicating with the C&C, the configuration file can be updated with information about new targets, activities and C&C destinations.”

Who has configured the Citadel Trojan

Unfortunately, IBM Trusteer Researchers were not able to locate who was behind the configuration of Citadel Trojan. The researchers did find that the cybercriminals were using a legitimate web server as the C&C. However, the file was removed before the researchers could locate the file and the mastermind behind it.

What next…

It was a prediction by IBM in 2011 that by the year 2016, the usage of passwords to protect sensitive data will be reduced and it will be replaced by biometric data and biological identity such as DNA, voice files, iris scan and facial definitions. IBM has asked its vendors to make recommendations so as to protect their customers from such attacks.

You can read more about this attack on the blog post at Security Intelligence.

Posted by with Tags
Ankit Gupta is a writer by profession and has more than 7 years of global writing experience on technology and other areas. He follows technological developments and likes to write about Windows & IT security. He has a deep liking for wild life and has written a book on Top Tiger Parks of India.


  1. zeroday1

    This is why I never would let any applications (which can be accessed via the net) to store or save my passwords, and is also another reason why I would never trust any of my pertinent info (including my passwords) to any cloud services based upon the principal that—as long as your are connected to the internet—there are pathways to that information which can be exploited.

    Writing down your passwords in a well organized password book is the best way to keep your log-in credentials safe—period!

    While some may say that it takes too long to look up their info—I say—lets put aside our indifference to true password security for the sake of real protection.

    Most people that spend the time to write this stuff down, stand a better chance at remembering their passwords without having to look them up anyway, because by using our other senses (touch, sound if we say it out-loud to ourselves while we’re writing them down…), we’ll be creating stronger memory connections in our brains, thus increasing the likelihood we will remember them without having to look them up all the time.

    Of course, I’m not advocating that anyone hold on to the same password forever, but even if you create your own (reasonably long-enough), random password, then it should be relatively safe from being compromised for at least a few months anyways. And when I say “reasonably long-enough,” I mean like 18 or more characters, at the least.

    Regardless of this age of instant gratification (where it’s all about I, me, and what I want yesterday), I will never balk at the idea that I might have to spend even an extra 30-60 seconds of my life, looking up a password that I may not remember, because to me that extra half a minute is worth the time and effort if it can spare help spare my identity and sensitive info from being hi-jacked.

  2. Ankit Gupta

    Thanks for sharing your thoughts ! The password should definitely be a strong one and writing it in a notebook is worth an idea. Cheers.

Leave a Reply

Your email address will not be published. Required fields are marked *

6 + 7 =