14 DAY TRIAL // Called Pandemiya, the new Trojan has been coded from scratch in about a year and includes protective measures to avoid detection by automated network analyzers.
Researchers at RSA Security reveal that Pandemiya is currently advertised on the cyber black market for the price of $1,500 (1,100 EUR); this is only for the core application, and a complete package, with additional functions provided by plug-in components, costs $2,000 (1,480 EUR).
Although it shares plenty of features with the infamous ZeuS, this is not one of its variants, as all the lines of code (over 25,000) are original.
The threat is designed to allow the botmaster to spy on an infected system and get form data and login credentials, as well as take snapshots of the screen.
Additional sensitive information can be obtained by injecting fake pages into the web browser (Google Chrome, Internet Explorer or Mozilla Firefox), thus tricking the victims into providing the details themselves.
Data gathered from the infected machine is sent to the control server in an encrypted form, using dynamic content and URI as an evasive measure against network analyzers.
According to RSA, among the default features included in Pandemiya there is “signing of the botnet files to protect them from being hijacked by other fraudsters, and from being analyzed by security analysts or law enforcement.”
However, the core functionality can be expanded through plug-in components that provide reverse proxy, FTP stealing and PE infecting capabilities.
Additional add-ons, currently in experimental stage, include a reverse hidden RDP and a Facebook spreader. The latter relies on Facebook credentials stolen from the victim to spread malicious links to friends.
Stopping the activity of the infection is not too difficult, as RSA says that the threat creates an executable file under “Application Data” folder and a new value for it in the HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key.
Next in the installation process is placing a DLL with a random name in the System32 folder and creating a registry value for it in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls.
By deleting the aforementioned registry keys after checking them to identify the executable and the DLL file, the threat should no longer be active. A computer restart and then deleting the files should ensure a clean system.
One peculiarity noted by the RSA researchers is that the last installation step “uses a not-so-well documented Windows security function – Windows will make every process run through the CreateProcess API, and load all of the DLLs under this registry key. Pandemiya makes use of this to inject itself into every new process that is initiated.”
At the moment, Pandemiya has not risen in popularity, but considering that law enforcement and security firms focus on ZeuS variants, the threat’s modular architecture could boost its distribution.