Top 4 Malware – Financial Trojans – Zeus, Carberp, Citadel and SpyEye.

October 15, 2016
Malware - Financial Trojans

Let us introduce the Top 4 Malware – Financial Trojans – Zeus, Carberp, Citadel and SpyEye. Later in this series of articles we will look into each malware (financial Trojan) in greater detail but allow us to make the formal introductions.


Carberp was originally introduced as a typical financial Trojan. It was designed to steal users’ sensitive data such as online banking credentials, such as username/password pairs, authentication token etc. Carberp was maintained via the cyber-criminals via a command and control (C&C) server and sent stolen data back to the primary server or credential drop sites. Carberp was soon enhanced with a layer of sophistication via a complex rootkit functionality allowing the Trojan to hide on the victims device.  Later generations of Carberp provided variants with added plug-ins. These add-ons provided further stealth that uninstalled or disable anti-virus software plus others that scanned and disabled competing malware. This is an arms race.


The Citadel trojan is a variation of the king of financial malware, Zeus. Citadel started where Zeus finished. It emerged, along with a number of other one-off trojans, after the Zeus trojan’s source code leaked in 2011. Citadel is like financial Trojan 2.0 – where the creators opened up the business models and the level of professionalism kicked up several gears. Cybercriminals could now purchase this financial malware under license. The source code was in the public domain where enhancements and function were constantly being revised and enhanced. Citadel’s initial noteworthiness has a lot to do with its creator’s novel adoption of the open the open-source development model that let anyone review its code and improve upon it.


The SpyEye trojan came out after Zeus and ran in parallel or competition to Zeus. Spyeye functioned in a similar to Zeus in terms of architecture and ran with large scale deployments and massive botnets and infection rates. We saw the back end infrastructure such as the Control and Command server become more complex, with multiple servers with built in redundancies making mitigation difficult. However, SpyEye peaked and then quickly became less popular as Zeus and Citadel Trojans evolved and became the Trojan of choice amongst the cyber criminal networks. At one point, parts of SpyEye botnet operation merged with Zeus’s into a meg-banking-botnet, but it would ultimately burn out without living up to the initial hype.

Financial Trojans evolve, always with increased stealth, impact to provide their creators, owners and masters a return on investment. Victim organisations must deploy strategic layers of defense – and in an evolving manner.



Zeus is not only the Grecian God but also the mother of all financial Trojans.  Zeus first came onto the radar in 2007 after it was used in a credential-theft attack targeting the United States Department of Transportation. Since then it has remained the king of malware. Other malware has evolved with increased sophistication, however, Zeus has been responsible for the highest infection rates and financial losses. Infected victims are in the tens of millions and total fraud impact makes this a billion dollar piece of software. The original Zeus creator left the “business” in the 2011 and the source code was published in 2011. Most other financial Trojans have some kind of Zeus function, method and even base code.

Zeus is also known for innovative usage of mobile “younger brother” called ZitMo to circumvent popular two-factor authentication schemes with security code being provided via text message. SpyEye and Carber developed their respective mobile counterparts as well.

Banking malware aside, the Zeus trojan is among the most notorious of all malware, second only perhaps to Stuxnet.


About the author

Leave a Reply