The Citadel crimeware toolkit, originally designed to steal sensitive information from infected Windows PCs, has been upgraded to grab the master passwords used to unlock password management applications, according to IBM's Trusteer security division. That creates the risk that usernames and passwords stored in otherwise secure password managers might get stolen by attackers. To date, however, there's been no evidence of related attacks, or successful exploits.

The latest variant of the Citadel malware - an offspring of the Zeus financial Trojan - attempts to steal a user's master passwords for two free and open source password tools - KeePass and Password Safe - as well as to compromise the neXus Personal Security Client, which some enterprises and service providers use to provide secure financial and e-commerce transactions.

Citadel, like Zeus, has long been designed to target people's personal bank credentials. The malware includes the ability to begin logging keystrokes, capturing screenshots and recording video whenever the user of an infected PC accesses an online banking site. But enterprising hackers have also customized the malware for espionage purposes, for example to target petrochemical manufacturers.

Now, the banking malware is trying to crack password managers, says Sean Sullivan, security adviser at Finnish anti-virus firm F-Secure, who confirms that the Trusteer report looks legitimate. But he and other security experts say that password management vendors can address the threat by adding two-factor authentication support to their products. And users can employ several approaches to safeguard themselves against related attacks, including using two-factor authentication - all three of the targeted password managers already support it - and only storing their most sensitive passwords on secure, trusted devices.

Targeting Master Passwords

The latest version of Citadel watches an infected PC to see if users activate one of several types of password managers. If so, the malware begins keystroke logging to capture and relay the master password - for the password management software - to the attackers. Stealing this master password "enables the cyber-attacker to unlock and access the entire list" of usernames and passwords being stored inside the password manager, says Dana Tamir, director of enterprise security for IBM's Trusteer, in a blog post.

Rony Shapiro, the developer behind Password Safe, one of the password management applications targeted by the latest version of Citadel, tells Information Security Media Group that users of the application can defend against Citadel attacks in two ways. "It appears that changing the name of the executable would suffice. That is, renaming pwsafe.exe to nothing_here.exe would be enough to avoid Citadel from capturing the master passphrase," thus allowing attackers to decrypt the passwords stored by the application, Shapiro says.

In addition, "Password Safe works with a challenge/response token, specifically Yubico's Yubikey, which also provides protection against keystroke loggers," Shapiro says. Yubikey delivers a one-time, 44-character password, which gets authenticated by Yubico's cloud service, and can be used to provide a second authentication factor for compatible software and websites.

Per Hägerö, CTO of Stockholm-based neXus, says the company is testing a beta version of neXus Personal Security Client that will mitigate the potential risk posed by Citadel. But he says that IBM's report only shows that the malware has been attempting to target neXus users. "There is no proof that this is evidence of a successful identity theft event or other type of criminal activity," Hägerö says, noting that his company has seen no evidence of related attacks. "We also want to stress that over 95 percent of neXus Personal users are using secure storage - such as smart cards - to protect keys, which mitigates the risk of them being stolen and misused."