Brand new, written-from-scratch malware is a relatively rare undertaking on the underground. Aside from some private endeavors, source code is available for a number of popular Trojans, including Zeus, Citadel and Carberp, making it easy for attackers to simply grab one off the shelf and get started. These three in particular have been adapted over and over, fortifying the illicit reputations of banking Trojans.
That makes the recent discovery of a new banking Trojan all the more noteworthy. RSA Security’s FraudAction team released a report on Pandemiya, a Trojan that’s being promoted in hacker forums as an alternative to the Zeus banking Trojan and its many variants.
The Trojan is being sold for as much as $2,000 and provides many of the same features that well-known banking malware provides, including encrypted communication with command and control servers in order to hamper detection and analysis. The Trojan also has a modular design; its ability to load external plug-ins, RSA said, allows hackers to add new features simply by writing a new DLL. The plug-ins easily add capabilities to the Trojan’s core functionality.
RSA said the author spent a year writing Pandemiya, which includes 25,000 lines of original code written in C.
“From my experience, it’s not very common in the cybercrime industry to stumble upon a completely original piece of malicious code; most of the malicious code writers are relying and reusing previously leaked source codes,” said Uri Fleyder, cybercrime research lab manager at RSA. “For example, Zeus and Carberp leaked source codes (or parts of them) are heavily reused in many Cybercrime related Trojan variants.”
Whether this trend gains any traction bears watching in light of the recent takedown of the GameOver Zeus botnet, a peer-to-peer botnet spreading banking malware and the Cryptolocker ransomware. While this variant has no connection to GameOver Zeus or its takedown, those pieces of malware are well known to researchers and signature-based detection tools.
“In my opinion, the main reason to write a new malicious code completely from scratch is to bypass end-point based security protection solutions,” Fleyder said. “Most of the security products for end-point devices are relying on previously known signatures and previously known behavioral patterns. It’s harder (from their point-of-view) to detect and block new threats which behave differently from all of the previously known ones.”
Pandemiya contains a number of core features that are common to most banking malware, including web injects and form-grabbers for the three leading browsers, as well as a file grabber, loader and the ability to digitally sign files to protect them not only from detection by security researchers, but also from other criminals. Communication with the command and control panel is also encrypted.
Additional plug-ins, available for an extra $500, include a reverse proxy, FTP stealer and portable executable (PE) infector to inject the malware at startup. Other plug-ins on the way, Fleyder said, include a reverse hidden RDP and a Facebook spreader, which uses stolen Facebook credentials collected by the Trojan and post and spread malicious links to Facebook friends.
“Many Trojans nowadays are using social networks (in the past most of them have been relying on instant messaging services, like ICQ and Windows Messenger) as a spreading mechanism which exploits the human chain of trust (“friends” in social networks),” Fleyder said. “It’s a classic example of social engineering.”
The malware is being spread by exploit kits, hitting computers via drive-by download attacks. The malware includes hooks for a number of running processes that are used to steal browser traffic, HTTP form data and credentials. It also can take screenshots and conduct file search and compression in order to steal files.
“From my experience, the technique which the Pandemiya Trojan writer has chosen for injecting its malicious code into every new process (post installation) is not very common for this type of threats,” Fleyder said.
In the meantime, the cat-and-mouse game continues between law enforcement and hackers, where authorities claim victories via botnet takedowns, and criminals respond with an original threat.
“Previous takedown efforts hadn’t had a long lasting effect on the fraudsters’ motivation to steal illicit funds,” Fleyder said. “I think that the malicious code writers might lower they profile, freeze some of the projects and go underground for several days to weeks, however they are always coming back eventually.”