In our previous blog (part 2 in this 3 part series), we outlined how Citadel infects a host machine, and we extracted some string references that we used to detect it via YARA. However, we have yet to really understand how this crimeware works and the risk it poses.
In this third part, we will dive deeper into the analysis and try to extract Citadel's configuration settings, as well as write more solid detection code.
Behavioral Analysis
A good start for our analysis is to look for any suspicious network traffic, so let's monitor our system for exactly that
read more.........http://community.websense.com/blogs/securitylabs/archive/2014/04/28/crimeware-based-targeted-attacks-citadel-case-part-iii.aspx
In this third part, we will dive deeper into the analysis and try to extract Citadel's configuration settings, as well as write more solid detection code.
Behavioral Analysis
A good start for our analysis is to look for any suspicious network traffic, so let's monitor our system for exactly that
read more.........http://community.websense.com/blogs/securitylabs/archive/2014/04/28/crimeware-based-targeted-attacks-citadel-case-part-iii.aspx