Incident Response, Malware, TDR

Expensive new trojan, Pandemiya, based on 25K original lines of C code

Pandemiya, a new trojan being sold on underground forums for as much as $2,000, separates itself from other similar malware – such as Citadel and ICE IX – because it is not at all based on the source code of the infamous Zeus trojan.

However, in the end, Pandemiya is still a trojan that does share many similar features as Zeus, including gaining access to browser traffic, obtaining credentials, capturing screenshots, locating and stealing files, and modularity, meaning plugins can be added to enhance the malware's capabilities, according to a Tuesday post by Eli Marcus, a senior writer on RSA's FraudAction Knowledge Delivery team.

Buyers can purchase the core application for $1,500, which includes injects and grabbers for three leading web browsers, as well as tasks, a file grabber, a loader, signing of botnet files to prevent analysis and hijacking, and encrypted communication with the panel, according to the post.

“What's so interesting about the Pandemiya trojan is its randomization of the URIs, or uniform resource identifiers,” Marcus told SCMagazine.com in a Tuesday email correspondence. “[T]his way it can evade detection by some of the network traffic analyzers that rely solely on static signatures/patterns.”

For $2,000, buyers get additional features, including a reverse proxy, an FTP stealer with combined internal iFramer, and a PE infector for startup, according to the post, which adds that a reverse hidden RDP and Facebook spreader are experimental plugins that should be integrated soon.

“The infection method is left up to the purchaser of the application, but one of the added features listed by the seller is a PE infector – used to conceal the Trojan app inside an innocuous looking Windows executable file,” Marcus said.

So far, only a very limited number of Pandemiya infections have been observed, making it hard to determine a region being impacted, Marcus said. There is also not enough evidence to speculate on the location of the author, who spent a year writing 25,000 lines of original C code to develop the trojan, he added.

In the post, Marcus outlines a simple four-step process to eliminating the Pandemiya threat on infected systems.

“This is a relatively simple trojan by design; it is not a rootkit, and therefore is relatively easier to remove,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.