Malware Targets Password Managers

Experts Outline Defenses Against New Citadel Variant
Malware Targets Password Managers

The Citadel crimeware toolkit, originally designed to steal sensitive information from infected Windows PCs, has been upgraded to grab the master passwords used to unlock password management applications, according to IBM's Trusteer security division. That creates the risk that usernames and passwords stored in otherwise secure password managers might get stolen by attackers. To date, however, there's been no evidence of related attacks, or successful exploits.

See Also: 2016 Annual Worldwide Infrastructure Security Update

The latest variant of the Citadel malware - an offspring of the Zeus financial Trojan - attempts to steal a user's master passwords for two free and open source password tools - KeePass and Password Safe - as well as to compromise the neXus Personal Security Client, which some enterprises and service providers use to provide secure financial and e-commerce transactions.

Citadel, like Zeus, has long been designed to target people's personal bank credentials. The malware includes the ability to begin logging keystrokes, capturing screenshots and recording video whenever the user of an infected PC accesses an online banking site. But enterprising hackers have also customized the malware for espionage purposes, for example to target petrochemical manufacturers.

Now, the banking malware is trying to crack password managers, says Sean Sullivan, security adviser at Finnish anti-virus firm F-Secure, who confirms that the Trusteer report looks legitimate. But he and other security experts say that password management vendors can address the threat by adding two-factor authentication support to their products. And users can employ several approaches to safeguard themselves against related attacks, including using two-factor authentication - all three of the targeted password managers already support it - and only storing their most sensitive passwords on secure, trusted devices.

Targeting Master Passwords

The latest version of Citadel watches an infected PC to see if users activate one of several types of password managers. If so, the malware begins keystroke logging to capture and relay the master password - for the password management software - to the attackers. Stealing this master password "enables the cyber-attacker to unlock and access the entire list" of usernames and passwords being stored inside the password manager, says Dana Tamir, director of enterprise security for IBM's Trusteer, in a blog post.

Rony Shapiro, the developer behind Password Safe, one of the password management applications targeted by the latest version of Citadel, tells Information Security Media Group that users of the application can defend against Citadel attacks in two ways. "It appears that changing the name of the executable would suffice. That is, renaming pwsafe.exe to nothing_here.exe would be enough to avoid Citadel from capturing the master passphrase," thus allowing attackers to decrypt the passwords stored by the application, Shapiro says.

In addition, "Password Safe works with a challenge/response token, specifically Yubico's Yubikey, which also provides protection against keystroke loggers," Shapiro says. Yubikey delivers a one-time, 44-character password, which gets authenticated by Yubico's cloud service, and can be used to provide a second authentication factor for compatible software and websites.

Per Hägerö, CTO of Stockholm-based neXus, says the company is testing a beta version of neXus Personal Security Client that will mitigate the potential risk posed by Citadel. But he says that IBM's report only shows that the malware has been attempting to target neXus users. "There is no proof that this is evidence of a successful identity theft event or other type of criminal activity," Hägerö says, noting that his company has seen no evidence of related attacks. "We also want to stress that over 95 percent of neXus Personal users are using secure storage - such as smart cards - to protect keys, which mitigates the risk of them being stolen and misused."

KeePass developer Dominik Reichl, meanwhile, tells Information Security Media Group that as a defense against keyloggers, his software can use the Windows secure desktop feature - built into Windows 2000 and newer - "to show the master key dialog on a different - secure - desktop," from which all known malware, at least to date, hasn't been able to log keystrokes.

Citadel: Zeus Offshoot

Trusteer estimates that Citadel now infects one out of every 500 PCs worldwide. After infecting a computer, the malware "phones home" to a command-and-control server and receives a configuration file telling it what types of information it should target, which functions to enable, as well as addresses for backup C&C servers, should communications with the primary "mothership" fail. "As long as the malware is communicating with the C&C, the configuration file can be updated with information about new targets, activities and C&C destinations," Tamir says.

Once Citadel infects a system, it has been designed to avoid being detected by anti-virus software and includes the ability to infect the PC with additional types of malware. In particular, Citadel has been tied to distribution of Reveton ransomware, which attempts to trick users of infected PCs into paying a ransom demand, often using a warning that's branded with the logo of the FBI or Department of Homeland Security.

Last year, federal authorities announced that the Microsoft Digital Crimes Unit, in coordination with the FBI, shut down more than 1,400 botnets that were responsible for distributing Citadel, and which had been tied to an estimated $500 million in fraud. But information security experts warned that the takedown would likely only serve as a minor inconvenience for criminals, and was unlikely to curb Citadel infections over the long term.

Tap Two-Factor Authentication

Now, of course, computer users must beware of Citadel and other malware that may attempt to steal their password manager log-in credentials. In response, Patrick Tiquet, director of security and architecture for password management software developer Keeper Security, says all password management developers and vendors must offer - and strongly encourage their users to adopt - two-factor authentication, as well as continue upgrading their products to use the latest security options. "Developers should provide users the ability to enter all or part of their master passwords through a channel other than a traditional keyboard, such as biometrics, as new technologies become available," he says. "Users should also avoid entering a master password on any untrusted laptop or desktop computer, where a keylogger may be present." F-Secure's Sullivan, for example, says he never stores sensitive passwords on any shared system, such as a home computer, instead preferring to keep them on a tablet.

But even simple, non-technological approaches can suffice. "Writing online passwords down on paper is acceptable if you can secure them at home," Sullivan says. "You can also just write down part of your passwords if you always append a PIN at the end of them."

But the best way to prevent a banking Trojan from stealing the master password for password management software is to keep PCs malware-free. Otherwise, all security bets are off. "This is law #1 of the 10 Immutable Laws of Security: 'If a bad guy can persuade you to run his program on your computer, it's not your computer anymore,'" says KeePass developer Reichl.

"Prevention is clearly the best cure," Sullivan says. "It is going to be very difficult to defend a compromised endpoint."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.




Around the Network