The Zeus Trojan was bad enough, but the attackers have not stopped their efforts there.  Today there are reports of a new variant of that trojan called – ‘Citadel’.

The Citadel is a chimera of the Zeus trojan, ransomware, scareware and social-networking.  This trojan is especially malicious.  It offers itself up on a drive-by site where it is downloaded to the victim’s computer.

After it installs on the sly it then sends signal to download and install the ransomware called Reveton.  This then freezes the victim’s computer and offers a very legitimate looking pop up:


This pop-up is part of the scareware and ransomware piece.  It tells the victim that child pornography has been found on their computer.  It logs their IP address and threatens to report this to the proper authorities unless they pay a “fine”.  A mere $100 seems small compared to a jail sentence, job loss and being labelled as a pedophile, no?

I honestly wish I could say it stops there. But then the creators of this particularly evil trojan use a brand of social-networking connections to communication with the infected machines and steal banking details or other personal information to further the attacks.

What Can We Learn?

Besides the fact that malicious attackers are becoming more evil and caring less and less for their fellow man, there are some serious social engineering aspects at play here.

First, one study done at Sydney University about porn addiction states that 66% of the people surveyed admit to viewing pornogrpahy regularly.  Concerns about a stray image or something being in your Internet cache means that this trojan has a 66% chance of hitting someone who may be thinking, “Hrm, was there every a person younger than 18 on that page?  I don’t want to end up in jail let me pay the $100 fine.”.

For the other 33%, the fear of being reported to a government agency is still legitimate.   John Floyd, a famous attorney who fights for the rights of the wrongly accused, tells stories of those who spent decades in prison for false accusations.  These stories flood the Internet, again, causing many to fear, even if they are innocent, that they can be incarcerated.

This fear makes people rationalize paying the “fine”.   Dr. Gregory Berns from Emory University conducted a study that basically states “dread and fear cause us to make awful decisions”.  This is the psychological principle that these attackers play off of.  The fear of being caught, the fear of the false accusation, the fear of your computer being damaged or unusable.

It is successful too. A report on claims there is over 3.6 MILLION Zeus infections (Citadel’s predecessor)  Think if each of those people, or even some of them paid a $100 “fine”… that is anywhere from $150,000,000 to $360,000,000 USD.  A huge business indeed.

What can you do if you feel you are infected?

If you are affected by this trojan, you may need to perform the following instructions to manually remove it:

  1. Press CTRL+O
  2. In the dialogue box that opens, type the following as is, then press Enter:
  3. cmd.exe
  4. In the command prompt window, type the following as is, then press Enter:
  5. cd “%USERPROFILE%\Start Menu\Programs\StartUp”
  6. Still in the command prompt window, type the following as is, then press Enter:
  7. del *.dll.lnk
  8. Still in the command prompt window, type the following as is, then press Enter:
  9. shutdown -r -t 0

More information and mitigation tips found on

Until next time, stay safe.