The attack starts when the user visits a malicious website that infects their computer with the Citadel Trojan via drive-by-download. The Citadel Trojan then connects to its command & control server to download the Reveton ransomware.
Upon execution, Reveton locks the infected system and displays a fake warning message from the US Department of Justice claiming that the user’s IP address was used to view disturbing content, including child pornography, and that a $100 fine must be paid to unlock the system.
This operating system is locked due to the violation of the federal laws of the United States of America! Following violations were detected
Your IP address is [YOUR IP]. This IP address was used to visit websites containing pornography, child pornography, zoophilia, and child abuse. Your computer also contains video with pornographic content, elements of violent and child pornography! Spam-messages with terrorist motives were also sent from your computer.
This computer lock is aimed to stop your illegal activity.
It is important to note that even if the user makes the mistake of paying off the “fine” cooked up by the Reveton ransomware, they’re still not off the hook.
The Citadel Trojan continues to work independently of the Reveton ransomware, harvesting personal and financial information that will be used by cybercriminals to commit identity theft and credit card fraud. The infected machine may also be recruited to participate in DDoS attacks and spam campaigns.
Protecting Your PC From Citadel & Reveton Malware
Since the Citadel Trojan is delivered via drive-by-download attacks, users can minimize their chances of infection by:
- Keeping your operating system patched and up-to-date.
- Installing updates for any software on your machine, especially Adobe Flash, Adobe Acrobat and Java since they are commonly exploited in drive-by-download attacks. You may also want to consider disabling Java if it’s not needed.
- Always run antivirus software and make sure the virus definitions are current.
- Remain vigilant and use common sense. Don’t visit sites that are suspicious, but keep in mind that cybercriminals often use compromised sites to conduct drive-by-downloads.
[via IC3 & Trusteer]
Don’t miss out on the latest tech news and computer security alerts! Follow us on Twitter at @hyphenet, “Like” us on Facebook or add us to your circle on Google+