You can teach an old dog new tricks, provided that dog is a powerful and infamous type of malware. The Citadel Trojan now steals master passwords from the password-management applications Password Safe and KeePass, as well as the enterprise authentication solution Nexus Personal Security Client.
Once it’s infected a computer, Citadel waits until one of these programs is launched, logs keystrokes to steal the master passwords, giving the attackers to every account protected by the password manager. Fortunately, while the Citadel Trojan is widely distributed, this password-seeking variant probably is not.
Many security experts recommend use of password managers to ensure that each of an individual’s online accounts have strong, unique passwords. It’s a lot easier to have the program remember dozens of long, complicated passwords, especially when all you have to remember is the master password that unlocks the password manager.
However, password managers also create a single point of failure. If the user forgets the master password, he loses access to every covered account; if an attacker manages to learn the master password, she gets access to all those accounts.
The fact that Citadel can do this isn’t the fault of the password managers. Any typed information can be stolen by a keylogger. But master passwords are the crown jewels of passwords, compromising many accounts in one fell swoop.
The Citadel Trojan is primarily a banking Trojan used by multiple online criminal groups. Once it has infected a PC, Citadel connects to a remote server, called a command-and-control server, via which attackers can send it specific commands and updates.
This variant of Citadel Trojan was discovered on a single PC by data-security company IBM Trusteer, which said the PC in question was infected with the Citadel variant before Trusteer’s security software was installed on it.
Trusteer guessed that the Citadel variant may be part of a targeted attack, one meant for a specific person or group of people. Nevertheless, the fact that the variant can target third-party password managers (instead of browser-based password vaults, as has been more commonly seen in malware) may represent a significant new trend.
“[The Citadel variant] might be an opportunistic attack, where the attackers are trying to see which type of information they can expose through this configuration, or a more targeted attack in which the attackers know that the target is using these specific solutions,” writes Dana Tamir, Trusteer’s director of enterprise security, on IBM’s security blog Security Intelligence.
IBM Trusteer researchers found three new processes in the Citadel software: Personal.exe (which targets the Nexus Personal Security Client), PWsafe.exe (which targets Password Safe, an open-source password manager created by encryption expert Bruce Schneier), and KeePass.exe, which targets KeePass, also an open-source password manager.
Source: Toms Hardware