In my study of Reveton's distribution, I encountered only Blackholes and another not named exploit kit ( which is now only spreading Urausy ). FBI warned about Reveton being spread via Citadel.
In this illustration it's not Citadel, it's a Smoke Bot which is pushing the Reveton.
Not so far..cause we often see Citadel pushing Smoke Bot...so it's just a matter of order/preference of the Botnet operator
(note that the Smoke Bot we will study is pushing a LOT of stuff among which Andromeda, Citadel, and for Russia/Ukraine Carberp (sic) )
For those who do not want to waste 5 minutes looking at the Video :
|Smoke Bot calling home|
|Smoke Bot downloading Reveton Dll|
|Reveton calling Home|
You can download the Fiddler Session of the Sakura Exploitation via CVE-2012-4681 (or : http://goo.gl/5JEyo (Mega) )
The Smoke bot is : 49d2c90d7c1f2477f3fb3bd19b156047
The Reveton : 603c3b3ea9f14599e34802ebff2ca736
|This Reveton Sample Call to Home in ThreatExpert report|
Full pcap of the session (that include what you saw and other stuff)
|Some binaries inside the Pcap file|