Zeus Trojan Alternative Created From Scratch Hits the Underground Market

[Venustus]

IDG News Service — A new Trojan program that can spy on victims, steal login credentials and interfere with browsing sessions is being sold on the underground market and might soon see wider distribution.

The new threat is called Pandemiya and its features are similar to that of the infamous Zeus Trojan program that many cybercriminal gangs used for years to steal financial information from businesses and consumers.

Zeus source code was leaked on underground forums in 2011, allowing other malware developers to create Trojan programs based on it, including threats like Citadel, Ice IX and Gameover Zeus, whose activity was recently disrupted by an international law enforcement effort.

"Pandemiya's coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.," researchers from RSA, the security division of EMC, said Tuesday in a blog post. "Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C."

The new Trojan program can inject rogue code into websites opened in a local browser, a technique known as Web injection; grab information entered into Web forms; steal files; and take screenshots. Because it has a modular architecture, its functionality can also be extended through individual DLL (dynamic link library) files that act as plug-ins.

Some of Pandemiya's existing plug-ins allow cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files. Its creators are also working on others to enable reverse Remote Desktop Protocol connections and to allow the malware to spread through hijacked Facebook accounts, the RSA researchers said.

"Like many of the other Trojans we've seen of late, Pandemiya includes protective measures to encrypt the communication with the control panel, and prevent detection by automated network analyzers," the researchers said.

The new threat is being advertised on underground forums for US$1,500 for the core application and $2,000 with additional plug-ins, a relatively high entry price for cybercriminals. This aspect and the fact that it's new have kept Pandemiya from gaining popularity so far, but because it can easily be expanded with DLL plug-ins "could make it more pervasive in the near future," the RSA researchers said.

Source

 

[Terry Ganzi]

Thanks Champ

 

[Deleted member 178]

Nice malware ^^

 

[Littlebits]

ZeuS Replacement Found in Underground Forums:

- Pandemiya admin panel
Called Pandemiya, the new Trojan has been coded from scratch in about a year and includes protective measures to avoid detection by automated network analyzers.

Researchers at RSA Security reveal that Pandemiya is currently advertised on the cyber black market for the price of $1,500 (1,100 EUR); this is only for the core application, and a complete package, with additional functions provided by plug-in components, costs $2,000 (1,480 EUR).

Although it shares plenty of features with the infamous ZeuS, this is not one of its variants, as all the lines of code (over 25,000) are original.

The threat is designed to allow the botmaster to spy on an infected system and get form data and login credentials, as well as take snapshots of the screen.

Additional sensitive information can be obtained by injecting fake pages into the web browser (Google Chrome, Internet Explorer or Mozilla Firefox), thus tricking the victims into providing the details themselves.

Data gathered from the infected machine is sent to the control server in an encrypted form, using dynamic content and URI as an evasive measure against network analyzers.

According to RSA, among the default features included in Pandemiya there is “signing of the botnet files to protect them from being hijacked by other fraudsters, and from being analyzed by security analysts or law enforcement.”

However, the core functionality can be expanded through plug-in components that provide reverse proxy, FTP stealing and PE infecting capabilities.

Additional add-ons, currently in experimental stage, include a reverse hidden RDP and a Facebook spreader. The latter relies on Facebook credentials stolen from the victim to spread malicious links to friends.

Stopping the activity of the infection is not too difficult, as RSA says that the threat creates an executable file under “Application Data” folder and a new value for it in the HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key.

Next in the installation process is placing a DLL with a random name in the System32 folder and creating a registry value for it in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls.

By deleting the aforementioned registry keys after checking them to identify the executable and the DLL file, the threat should no longer be active. A computer restart and then deleting the files should ensure a clean system.

One peculiarity noted by the RSA researchers is that the last installation step “uses a not-so-well documented Windows security function – Windows will make every process run through the CreateProcess API, and load all of the DLLs under this registry key. Pandemiya makes use of this to inject itself into every new process that is initiated.”

At the moment, Pandemiya has not risen in popularity, but considering that law enforcement and security firms focus on ZeuS variants, the threat’s modular architecture could boost its distribution.

Source

Enjoy!

 

[starchild76]

A new and relatively rare Zeus Trojan program has been found which is totally different from other banking Trojans and has capability to secretly steal data from forms, login credentials and files from the victim as well as can create fake web pages and take screenshots of victim's computer.



Researchers at RSA Security’s FraudAction team have discovered this new and critical threat, dubbed as ‘Pandemiya’, which is being offered to the cyber criminals in underground forums as an alternative to the infamous Zeus Trojan and its many variants, that is widely used by most of the cyber-criminals for years to steal banking information from consumers and companies.



The source code of the Zeus banking Trojan is available on the underground forums from past few years, which lead malware developers to design more sophisticated variants of Zeus Trojan such as Citadel, Ice IX and Gameover Zeus.



But, Pandemiya is something by far the most isolated and dangerous piece of malware as the author spent a year in writing the code for Pandemiya, which includes 25,000 lines of original code written in C.



Like other commercial Trojan, Pandemiya infect the machines through exploit kits and via drive-by download attacks to boost infection rate that exploit flaws in the vulnerable software such as Java, Silverlight and Flash within few seconds victim lands on the web page.



“Pandemiya’s coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc.,” researchers from RSA, the security division of EMC, said Tuesday in a blog post. “Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C.”



Pandemiya Trojan using Windows CreateProcess API to inject itself into every new process that is initiated, including Explorer.exe and re-injects itself when needed. Pandemiya is being sold for as much as$2,000 USD and provides all the nasty features including encrypted communication with command and control servers in an effort to evade detection.



The Trojan has been designed with modular architecture to load more external plug-ins, which allows hackers to add extra features simply by writing new DLL (dynamic link library). The extra plug-ins easily add capabilities to the Trojan’s core functionality, that’s why the developer charge an extra of $500 USDto get the core application as well as its plugins, which allows cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files in order to inject the malware at start up.



"The advent of a freshly coded new trojan malware application is not too common in the underground," Marcus writes, adding that the modular approach in Pandemiya could make it “more pervasive in the near future."



The malware developers are also working on other new features to add reverse Remote Desktop Protocol connections and a Facebook attack module in order to spread the Trojan through hijacked Facebook accounts.



HOW TO REMOVE PANDEMIYA TROJAN



The Trojan can be easily removed with a little modification in the registry and command line action, as explained below:

1. Locate the registry key HKEY_LOCAL_USER\Software\Microsoft\Windows\CurrentVersion\Run and identify the *.EXE filename in your user’s ‘Application Data’ folder. Note the name, and delete the registry value.
2. Locate the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls. Find the value with the same name as the *.EXE file in the previous step. Note the file name, and remove the value from the registry.
3. Reboot the system. At this stage Pandemiya is installed but no longer running. Delete both files noted earlier. This will remove the last traces of the Trojan. Your system is now clean.

Stay Safe!

 

[Mateotis]

Not too dangerous as of yet, because you can apparently fully remove it by deleting two registry keys and two files.

However, it has more potential than any other malware I've seen with its capability to have external plugins so easily. We all know how creative and effective malware authors can be in order to be successful.

 

[Littlebits]

Threads merged.

Enjoy!!