Citadel ZeuS bot

Jump to navigation Jump to search

(Publication) Google search: [1]

Citadel ZeuS bot
Malware Citadel
Botnet/malware group
Exploit kits
Distribution vector
Operation/Working group
Date 2012 / 28 janvier 2012
Editor/Conference Cyber Sleuth
Link (Archive copy)
Author Sherb1n


English Translation by @Sherb1n (original source: xttp://

- New clone of ZeuS after ICE IX
Coder- Aquabox - Adv on Underground Forums


 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR833,
   editor = {Cyber Sleuth},
   author = {Sherb1n},
   title = {Citadel ZeuS bot},
   date = {Error: Invalid time.},
   month = Error: Invalid time.,
   year = {2012},
   howpublished = {\url{}},

In extenso


Citadel 1.1 - FF/IE/Chrome Grabber + Video Recording & Anti Tracker Protection

We’re offering a great solution for creating and updating your botnet.

We’re not trying to re-invent the wheel or come up with a revolutionary product. We have simply perfected the good old ZeuS, making significant functionality improvements, adapting it to the survival conditions of today’s security landscape, and giving it a new name. Originally, we developed it for our own needs; during the development process, we also decided to create a “social circle” of support community, which is described later in this article.

Changes have been made both to the bot itself and to the web components. We don’t sell “eye candy”. What you are paying for is the new functionality and coders’ motivation to support the product. New features for the bot:

  • Fixed VNC bug on Vista/Win7. Internet Explorer is now fully supported (there used to be a rendering problem in IE)
  • Added support for Mozilla Firefox 7.0 (recent versions have had problems sending the reports; the problem is now fixed)
  • Crypto-protection (the body is decrypted in memory)
  • DNS-redirects (not through hosts). Any URL can now be blocked/redirected, undetectable by heuristics. For example, block AV servers or redirect bank pages to a different host. !BONUS! The list of popular AV server URLs to block is included.
  • Software version is included in the report. The report will contain detailed information on the holder’s browser version. This can be used to imitate the holder’s settings.
  • Extra layer of protection from trackers – Login Key.
  • Authentication mechanism for config updates (no direct URLs). Adequate protection against established trackers.
  • Grabber support for Google Chrome. (tested on latest versions 15.x/16.x)
  • Inject support for Google Chrome. (tested on latest versions 15.x/16.x)
  • Added function search caching, for faster hook setting in Chrome.
  • Added feature: bot can run system CMD commands at startup (the CMDList section) and upload the report to server. For example, you can specify that upon installation your bot should upload the output of “ipconfig /all” or the list of all shared drives. This is a good feature to have when analyzing a company’s internal structure. (For example, you can often see bots with names like ACCOUNTANT_PC, POS_SERV, DATABASE…)
  • Added mechanism to check the integrity of hooks in some Windows.
  • Environment heuristic analyzer can use a stop-list to terminate undesirable software (significantly improves stealth), all popular AV products are included in the list.
  • Small bugs have been fixed.
  • Video grabber gives you a unique opportunity to see how your injects work “through the eyes of the holder”. Just specify the list of URLs and the recording time in seconds in the config file, and the bot will start recording video (in MKV format) as soon as the holder visits one of the URLs. Make sure your server can receive files of 10-60MB.
  • Removed the “cookie clearing” feature, because it was messing up the machine’s fingerprint.
  • Added support for HTTP 1.0 and extended headers (for example, the response doesn’t always look like “HTTP/1.1 200 OK”, sometimes it can be “HTTP/1.1 200 follow document”, where code 200 is followed by a couple of words), this is applicable to Firefox & Chrome
  • Added gate generator (in case you want to place files on an intermediary host for redirect)
  • All of ZeuS’s basic functionality is included. I don’t think it needs to be listed here.
  • Fully revamped, more user-friendly web-admin interface.
Figure 1. Builder, main screen
Figure 2. Web-panel, main screen

We’re not going to talk about the bot’s uptime, you’ll see it for yourself. Gratitude is accepted in the form of LR tokens.

This is the basic package. Price: $2,399.00


Our software does not work on Russian-language systems. If a Russian or Ukrainian layout is detected, the bot terminates. This is done to prevent installs on CIS systems. You may disagree, but that’s taboo for us. If you want to test the bot or develop your own injects – install an English-language system. We will provide URLs to download the OS image and VMWare to save you some time.


List of new features for web-admin panel (individual modules):

  • Full-featured VNC control panel. Now you can:
    • Collect data on specific companies and accounts of interest into a separate DB and a separate script. It has a nice layout, you can see the list of online bots and details of the collected accounts.
    • Create a VNC connection to any bot in 2 mouse clicks.
    • View stats on active/dead accounts (or bots).
    • Add/edit memos to the collected accounts.
    • Receive automated Jabber alerts whenever a new account is added or a bot comes online. For convenience, the alert contains the IP:PORT for VNC connection.
    • Sort the bots depending on their online/used/unused status.
    • Specify a BotID, and have a VNC connection automatically created whenever the bot comes online. Price: $495.00
Figure 3. VNC control panel
  • High-quality SOCKS checker module. You can specify several DBs of different botnets. The module uses web surfing to check the SOCKS, for a 99.9% accuracy. Price: $49.00
  • Executable files auto-encryption module. Tired of manually encrypting your files or waiting for that encrypter to come back online? Automate the encryption task with this awesome auto-crypt module that will automatically refresh your botnets’ exe files. The script operates through Death’s jabber service called cbot. $15 per encryption.

We are not responsible for the encryption quality. Script is triggered through cron and can encrypt the file as many times as you need. Price: $395.00

  • Log parser module. Many of you have had this problem: lots of bots generate tons of logs, and today’s DB search technologies take up way too much time. We have developed a script that can look across several DBs simultaneously and extract all http/https URLs and related data. Additional features: caching and memos, for your convenience. Price: $295.00

Modules can be purchased only if you also buy the basic package; they cannot be sold separately. When buying a module, you get the right to receive updates and support for this module.


  • Advanced file search and upload. Search masks are specified in the config file. For example, “passwords*.txt”
  • Ability to load the video-grabbing module from a remote host, to reduce the size of the build.


It’s hardly a secret that any product in this niche is a pile of junk on somebody’s hard drive unless it’s supported by a group of developers. As time goes on, a product must continue to satisfy the needs of the clients, but usually that’s where the problem occurs: there are lots of clients, but only one developer, and your IMs are often ignored. Time is money, that’s why we have created a social network-like platform for our clients.

Citadel CRM Store lets you influence the development of the product, namely:

  • Report bugs and errors you discover in our software. All tickets are reviewed by tech support. You will receive a response in a timely manner and will not have to try to catch the developer in ICQ/Jabber.
  • Every client has the right to create an unlimited number of requests and suggestions for new module/functionality. These requests can be public or private (visible to you only).
  • Every client has the right to vote for ideas submitted by other members and to contribute money towards developing the module/functionality. Based on the voting results, the developers decide which module should be built.
  • Every client has the right to comment on requests and talk to other members. Now you can find partners and like-minded people and take an active part in product development discussions.
  • You can see all the stages of the development work if the new module is approved by the community. We provide timely updates on the status and completion date.
  • If the module is approved, you can start making the initial deposits (50%). As soon as the deposits are made, developers start working on the project: the money is paid directly to the coders, and there will be no delays or procrastination. The process is transparent, every stage of the development work is displayed.
  • Convenient notifications via Jabber about new comments or requests.

You will really appreciate this new approach!

When buying the basic package, you agree to make monthly maintenance payments of $125 (payments can be made for several months in advance). What’s included in this cost:

  • We’re interested in working with our clients. There are lots of people who promise to “support the product, blah-blah”, but then either their updates come out once every 3 months, or the author just disappears. The problem is, authors need to be motivated. In our case – you support us, and we support you. As simple as that.
  • Every month (around the 20th of the month) you get a builder update, including updated AV protection (bot body encryption, heuristic analysis prior to process injection).
  • You get access to the CRM: a great opportunity to suggest new features and improvements, vote for others’ projects, and communicate with other members of the Citadel CRM Store.
  • You get our support: we answer your questions (via ticketing system), provide installation assistance and usage recommendations. You are prohibited from transferring your personal CRM account to anyone else.
  • In the near future, our CRM will start working with web programmers who will be focused exclusively on injects (including auto-transfers). The CRM allows our clients to create tasks, declare completion dates and prices, so that our coders can work on the approved projects. If you can write high-quality injects, let’s talk.
Figure 4. Citadel CRM Store

Demo access upon request (allow up to 24 hours).

Builder is tied to your PC; you can create unlimited number of domains.

We accept LR only. For WM-LR conversions, go to forums like We do not accept Webmoney.

To avoid wasting our time (and yours), don’t send us messages like “You there?”, etc. Just give us your request in this format: “Need to buy basic package, plus VNC, Auto-crypt, and SOCKS modules. What’s the total price with the discount?”