Zeus and Citadel the biggest banking botnets of 2013

News by Doug Drinkwater

A new report from Dell SecureWorks' Counter Threat Unit (CTU) research team breaks down the biggest banking botnets from last year, and reveals that 900 financial institutions from around the globe have been targeted.

The report, which was released today, finds that Gameover Zeus (accounting for 38 percent of banking malware last year), Citadel (33 percent), Zeus (13 percent) and Shylock  (7 percent) are the most widely-used banking malware, and suggests that most of this activity is directed at financial institutions in the US.

As is to be expected, more than half of these Trojans focused on the 25 largest financial institutions, not only in the US but also in other mature markets like the UK, Germany, Spain, Italy, Canada and France.

However, what was arguably of greater interest was that these botnets are growing more complex, and are increasingly being used to target other financial groups.

Researchers said that there is increased activity from botnets like Zeus, IceIX and Citadel – the last of which are based on Zeus source code – sold on underground markets and added that most of these are increasingly complex, with many moving parts and different attack techniques. Zeus, for example, has been successful in the past after attackers used spam campaigns and drive-by-download attacks via different exploit kits.

From a detection point of view, many of these botnets are also taking different form. Dell SecureWorks says that some have sophisticated plugin-based engines, and others are described as “primitive yet effective”. Analysts continued that they can also vary in infrastructure from those that are built upon single command and control (C2) servers to those that rely on a decentralised peer-to-peer (P2P) network.

In addition to these increasingly sophisticated botnets, the report adds that many attackers are looking to attack banks and other financial institutions from unorthodox channels. 

For example, the firm says that targets have included commercial banks, credit unions, corporate finance and providers of corporate payroll services and stock trading. Attackers have even looked to breach social networks and dating portals.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews