The Big Four Banking Trojans

Banking trojans are like rats, you kick a trashcan and six of them go scurrying off in every direction. Most of them you’ll read about once and never again. But

Banking trojans are like rats, you kick a trashcan and six of them go scurrying off in every direction. Most of them you’ll read about once and never again. But there is a big four of sorts that just never seem to go away:  Carberp, Citadel, SpyEye, and especially Zeus.


Semantically speaking the problem with calling these things banking trojans, is that sometimes we catch them doing other bad stuff not related to the theft of financial information. It’s all very murky in the seedy underworld of cybercrime, but, semantics aside, each of these pieces of malicious software represents a real problem: they are damn good at stealing online and other banking information.

It’s a bit difficult to write a compelling story about a handful of different banking trojans seeing that they all do essentially the same thing, but nonetheless, here is a run down of the four most prolific ones in a rough reverse order of notoriety:


The original version of Carberp was something of a typical Trojan. It was designed to steal users’ sensitive data, like online banking credentials or username-password combinations for other high-value sites. Carberp relayed the information it stole back to a command and control (C&C) server under its creator’s control. Simple and straightforward. The only tricky component was the complicated rootkit functionality, allowing the Trojan to remain unnoticed on the victim’s system.  The next generation of Carberp added plug-ins: one that removed anti-malware software from infected machines and another that tried to kill off other pieces of malware should they exist.

Things got more interesting when its maintainers gave their trojan the ability to encrypt stolen data as it passed between affected machines and their C&C server. According to researchers, Carberp represented the first time that a piece of malware used a randomly generated cryptographic cipher rather than a static key.

At one point, Carberp started working in conjuncture with the most-notorious Blackhole exploit kit, generating an enormous uptick in infections. All was going well for Carberp and its authors. They had even managed to develop a Carberp module on Facebook that tried to trick users into handing over e-cash vouchers as part of a ransomware-type scam.

According to researchers, Carberp represented the first time that a piece of malware used a randomly generated cryptographic cipher rather than a static key.

From there, things went downhill a bit. Russian authorities nabbed eight men believed to be responsible for controlling the malware, but Carberp did not die. Since then there has been no shortage of Carberp sabotage attempts and arrests. At one point, criminals seeking to deploy the tool would have to pay $40,000 for access to it until its source code was released last year, giving nearly anyone with enough know-how access to the trojan.


The Citadel trojan is a variation of the king of financial malware, Zeus. It emerged, along with a number of other one-off trojans, after the Zeus trojan’s source code leaked in 2011. Citadel’s initial noteworthiness has a lot to do with its creator’s novel adoption of the open the open-source development model that let anyone review its code and improve upon it (make it worse).

The group or groups of criminals responsible for Citadel developed a community of customers and contributors around the globe that would suggest new features for the malware, contributing code and modules as part of a criminal social network of sorts. Some of the most fascinating capabilities included AES encryption of configuration files and communications with the C&C server, an ability to evade tracking sites, the capacity to block access to security sites on victim machines, and a functionality that could record videos of victim activities.

The network of Citadel contributors continued adding newer and more dynamic features to the trojan, making it more adaptive and faster, until it became utilitarian that criminals began using it for all stripes of credential theft.

Citadel saw big success until Microsoft and a coalition of other companies launched an operation that would eventually disable some 88 percent of its infections.


The SpyEye trojan was supposed to be the banking trojan that would come to compete with Zeus. In the end, SpyEye was like all the men said to be heirs to Michael Jordan’s greatness. They had hype, they had potential, but they couldn’t take down the king. Zeus is the king, no doubt, but SpyEye made a fast disappearing splash.

At one point, parts of SpyEye botnet operation merged with Zeus’s into a meg-banking-botnet, but it would ultimately burn out without living up to the hype. It had its successes though. Attackers deployed SpyEye in an attack targeting Verizon’s online billing page pilfering users’ sensitive personal and financial information for more than a week without notice. It showed up on Amazon’s Simple Storage Service, using the cloud provider as a platform for attacks, it showed up on Android devices at one point, but a series of arrests and perhaps just a lack of effectiveness ended SpyEye’s run.

Three Baltic men were arrested in the summer of 2012 for using SpyEye to operate a highly organized banking information theft operation. In May of this year, an alleged SpyEye developer was arrested in Thailand and extradited to the United States, where he faces more than thirty counts of botnet and bank fraud related charge.

Since then, we haven’t heard a whole lot about SpyEye.


And then there was Zeus. Aptly named for the king of the Grecian Gods, Zeus unparalleled in scope, use, and effectiveness. Since its source code was leaked in 2011, it seems that nearly every banking trojan has flavors of Zeus built into it. Among these, only Zeus is notorious enough to have its own Wikipedia page. There are 22 pages, each containing ten stories, on Threatpost (the site where all these hyperlinks go to) making reference to the Zeus trojan. You could write a Leo Tolstoy or Marcel Proust length novel about the shenanigans of the Zeus trojan, so it’s nearly impossible to briefly synopsize the threat, but we’ll throw out some highlights.

It burst onto the scene in 2007 after it was used in a credential-theft attack targeting the United States Department of Transportation. Since then Zeus has infected tens of millions of machines and resulted in the theft of hundreds of millions of dollars until its creator reportedly called it quits in 2011, publishing the malware’s source code online. Many hundreds or individuals served or are serving jail time for their involvement in Zeus-related scams.

It was among the first pieces of malware sold via license. Until its source code was made public, Zeus was the scourge of banks and corporations alike. The list of it’s victims is too long to list, but includes prominent banks, corporations, and government agencies.

Zeus is also known for innovative usage of mobile “younger brother” called ZitMo to circumvent popular two-factor authentication schemes with security code being provided via text message. SpyEye and Carber developed their respective mobile counterparts as well.

Banking malware aside, the Zeus trojan is among the most notorious of all malware, second only perhaps to Stuxnet.

The protection

Each malware in The Big Four share the same essential properties: it tries to evade detection by your antivirus, it intercepts keystrokes, browser data, stored files and basically everything that helps to sneak into your banking account and initiate an illegal money transfer. It even tries to install mobile malware on your smartphone, which enables criminals to steal one-time security codes, often used by banks to approve transactions. Among other types of malware, banking Trojans have the potential to inflict direct financial damage to their victims, that’s why modern protection software must include specific countermeasures against every aspect of the “banking” Trojan functionality. Kaspersky Lab has packaged these protection measures into Safe Money technology, which is implemented in recent versions of Kaspersky Internet Security – Multi-Device and Kaspersky PURE. Learn how to enable Safe Money with this tip.