Pandemiya banking malware emerges as Zeus-level threat

RSA researchers say the costly Pandemiya banking malware was written entirely from scratch, a dangerous oddity in the world of malware.

Researchers have uncovered a new banking malware variant that they say is notable not only for the hefty prices its authors are demanding, but also because the malware has been coded from scratch -- a dangerous oddity in the world of malware development.

In a blog post this week, RSA's FraudAction team detailed the malware finding, dubbed Pandemiya, which they said is being sold on underground malware sites for between $1,500 and $2,000 dollars, depending on the functionality a buyer desires.

Pandemiya is a typical malware banking variant in many ways. It is capable of stealing form data and login credentials, as well as enabling attackers to inject malicious webpages into the three major Web browsers to gather further information on victims.

Communications between machines infected by Pandemiya and a botnet are also encrypted, according to RSA, and the modular nature of the malware means it is "quite easy to expand and add functionality" to via DLL plug-ins -- some of which are made available for a higher price, including a reverse proxy and an FTP login stealer.

What sets Pandemiya apart is that it's not based on the Zeus source code, which was leaked online in 2011 and has since been the favorite base code for exploit authors to craft numerous variants of the infamous banking malware, including Citadel, Carberp and Zberp.

"Through our research, we found out that the author of Pandemiya spent close to a year coding the application, and that it consists of more than 25,000 lines of original code in C," RSA said in the blog post. "The advent of a freshly coded new Trojan malware application is not too common in the underground."

The emergence of Pandemiya comes just as one of the most well-known Zeus variants, Gameover Zeus, was targeted in a worldwide sinkholing operation by law enforcement agencies, resulting in the traffic from more than 300,000 machines infected by the botnet being redirected to clean servers.

RSA noted that the relatively high price and anonymity of Pandemiya have so far held the malware back from becoming widespread, but its authors may see opportunity with the temporary hole left by the Gameover Zeus takedown.

"Only time will tell if its popularity [will] rise," RSA said.

 

Dig deeper on Emerging security threats and attacks

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchSecurity

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

ComputerWeekly

Close