New Trojan Built on Original Code Takes on Zeus Variants

Pandemiya is able to command decent pricing: according to RSA's analysis, its creators are advertising it at $1,500 for the core application
Pandemiya is able to command decent pricing: according to RSA's analysis, its creators are advertising it at $1,500 for the core application

A new commercial trojan malware application known as Pandemiya has burst onto the cybercrime scene. It’s being promoted in underground forums as an alternative to the ubiquitous Zeus trojan and its variants, because it’s been coded from scratch.

“Pandemiya’s coding quality is quite interesting,” said Eli Marcus, a member of RSA’s FraudAction Knowledge Delivery team, in a blog. “And contrary to recent trends in malware development…we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C.”

Thus bucking the trend of recycling parts of publicly available trojan source code (Zberp, anyone?), Pandemiya is able to command decent pricing in the shadowy dark web. According to RSA's analysis, its creators are advertising it at $1,500 for the core application, or $2,000 USD for the core application including plugins for additional functionality. It’s a relatively high entry price has so far prevented it from wide distribution, Marcus noted.

But an interesting aspect of the application is its modular design, which makes it easy to add functionality. Pandemiya has the ability to load external plugin DLLs, which allows operators of the malware and other developers to create plugins that expand the application’s range of capabilities.

“The advent of a freshly coded new Trojan malware application is not too common in the underground,” he concluded, adding that despite its pricing, “the design choice to make this malware modular and easy to expand upon with DLL plugins could make it more pervasive in the near future.”

In terms of core functionality, Pandemiya is designed to enable a botmaster to spy on an infected computer – secretly stealing form data, login credentials and files from the victim, as well as taking snapshots of the victim’s computer screen. This malware also allows the injection of fake pages into IE, Safari and Chrome internet browsers in an effort to gather additional sensitive information from the victims themselves.

“Like many of the other Trojans we’ve seen of late, Pandemiya includes protective measures to encrypt the communication with the control panel, and prevent detection by automated network analyzers,” Marcus said.

As is typical with commercial trojans, the infection and installation method is left up to the operator. Usually it will make use of an exploit pack that generates a drive-by exploit page that infects a PC in a drive-by attack, the researcher added.

What’s Hot on Infosecurity Magazine?