Pandemiya: The New Trojan Horse

Category: Security

A new Trojan Horse malware program appears to be written entirely from scratch, a rarity in the malware trade and a special cause for concern among security researchers, anti-malware developers, and end-users. Here's what you should know…

Pandemiya Pandemonium

Researchers at RSA Security discovered the new “Pandemiya” program while trolling hacker forums for clues of what the bad guys are up to. According to RSA's Eli Marcus, Pandemiya contains over 25,000 lines of fresh code, and is intended to be an alternative to the Zeus botnet platform that enslaved several hundred thousand PCs worldwide.

Pandemiya infects victims mainly through drive-by downloads delivered by exploit kits, an increasingly popular channel among cybercrooks because it works so well. I wrote about this recently in How NOT to Get Exploited. It takes almost no technical expertise to set up an exploit kit on a bogus Web site offering fake security freeware. Unwitting visitors have their systems "scanned for vulnerabilities" while selected malware is downloaded and installed on their machines without their knowledge.

Pandemiya Virus

Boom! Your computer is now a zombie soldier in a botnet. Its resources will be combined with those of other slave machines to launch massive Distributed Denial of Service attacks; send gigabytes of spam; and perform other illicit tasks for the botmaster. But that’s not all; Pandemiya also raids the PC it has enslaved.

Pandemiya monitors its host’s input/output streams looking for login credentials for financial accounts. It scans for Social Security Numbers, credit card details, bank account info, and other data useful to identity thieves. All of the useful things it finds are transmitted to the botmaster for packaging and resale to other cybercrooks.

An “interesting” feature of Pandemiya is its modular design, which makes it easier to enhance with add-on programs written by third parties. Like many modern malware programs, Pandemiya uses encryption and obscuration techniques to hide its presence and activities from anti-malware programs, network analyzers, and other countermeasures. It’s pretty sophisticated stuff!

Pandemiya is one of those infuriating malwares that rises from the dead. Its core code hides itself well, infecting various Windows components with subprograms that do the dirty work. The core code continually refreshes its subprograms, so if one is excised by your security software, it will be restored on your next reboot or restarting of the infected Windows component.

RSA learned that Pandemiya is being sold for $1,500 in its basic form; another $2,000 enables plug-ins from third parties that enhance its evil powers. A Facebook attack module is reportedly in the works.

How to Remove Pandemiya

Fortunately, Pandemiya can be removed with some delicate but straightforward registry editing and command-line system modification. I expect that anti-malware developers are updating their products to detect and eliminate Pandemiya very quickly. Users should pay special attention to keeping updates current.

According to VirusTotal, most popular antivirus programs are detecting Pandemiya as a malicious entity. (Note that the green circles with check marks indicate that the tool did NOT flag the file as malicious.)

Norton's free Power Eraser is one tool that claims to eliminate Pandemiya and other "deeply embedded and difficult to remove crimeware." It's an on-demand scanner, so you can use it without any worries about it conflicting with currently installed anti-virus software. The docs for this program mention that it's an aggressive tool, and can remove things that aren't necessarily harmful.

When I tested it, it identified an old audio driver as potentially harmful (it's not) and also flagged some registry items for Google Update and Google Chrome autostart that are safe. So my advice is to make a restore point before running it, and closely examine the items that it recommends for fixing or removal.

In the never-ending battle between white and black hats, Pandemiya is a game-changer because it is new, and not just a variation of older malware. That makes it more successful as long as it’s unknown to anti-malware developers. Now that the cat’s out of the bag, Pandemiya can be beaten as other known threats have been.

Your thoughts on this topic are welcome. Post your comment or question below…

 
Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Email:

Check out other articles in this category:



Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 10 Jul 2014


For Fun: Buy Bob a Snickers.

Prev Article:
Geekly Update - 9 July 2014

The Top Twenty
Next Article:
Old Androids Never Die, They Just Become Bots

Most recent comments on "Pandemiya: The New Trojan Horse"

Posted by:

DMYLES
10 Jul 2014

... it is all so tiresome...

if automobile transport had evolved the way personal computing technology has, many of us would still be riding horseback, i think!

thanks for the info!


Posted by:

Doc
10 Jul 2014

Day before yesterday (Tuesday 8 July 2014) Fresh Air with Terry Gross (NPR) had an opening segment on some common sense Cyber Security hints. One was to GET RID OF PROGRAMS YOU DON'T USE. I lost one comptuer to an Indian Call center my ISP uses for 'support' after hours (they threw away system files that allowed me to connect to the web - flash of black, then the Blue Scream of Death - And some Indian saying "What did YOU do!???) ME? NOTH.... click! Bzzzzzz. So much for their support.

Well my next comptuer ($300 more to buy a new one that put a new XP system on a wonderful friend). Though I had this one crash once, Bob saved me because this time I did it right and had my back-up flash drives ready.

So I took the advice seriously. I went though my machine, and HOLY COW!!! I had programs I'd used once or twice, didn't like (or use) and never removed. I took off about 14 programs I NEVER use, and had that been my older friend machine, it would have been in the hundreds. His reasoning, is if you don't use them, you don't update them, and we can all follow that line of reasoning to a comptuer as open a a screen on a window. So I've got my two base browsers (in case one crashes on me I can restore it), TWO anti-viral programs my IPS's McAfee real time and MBAM, a disk CCleaner, a defrager, a 3d mapping program, and my Office - and I'm amazed at how many programs were buried on my comptuer. Now the start button shows all programs in one block without the need to use the scroll bar. Those are the ones I actually USE, not MIGHT USE - those go onto a flash-drive. and are never on my comptuer.

SO - as another piece of Cyber Security: get rid of those trash programs you don't use. If you think you MIGHT want to use them someday, put them on a flash drive (label them so you know what they are) and store them in your storage drawer, then get them off your main storage device. Your comptuer will than you by running WAY faster, and you cut your chances of finding holes FAR less likely.

I've even wiped all my other computers that run 24/7 running World Community Grid (look it up, it's penny's a month to help Humankind) and THEY run (monitors off) -- one in specific, ran FOUR times faster!!!! FOUR TIMES!!!!!! So I can do more good for more people in less time. With LESS ware on the heads. Trust me, I'm a teacher. (smile) you will NOT be disapointed, and you won't wonder WHERE that 'bug' came from.


Posted by:

Ole
10 Jul 2014

Many thanks' Bob for the heads-up on yet another malicious rotten apple who is bend on causing misery


Posted by:

Glen
10 Jul 2014

Is this something that Apple users need to worry about. Also, what do you recommend as anti-virus, anti-malware software for Apple?


Posted by:

Rochelle
10 Jul 2014

Doc,

Did you also clone your hard drive onto another, or at least do an image? Hard drives are mechanical things, and they do break down eventually.


Posted by:

Ron Pollitt
11 Jul 2014

Can't the people who sell this malware be tracked down and their website zapped?


Posted by:

Bernard Gallivan
11 Jul 2014

Excellent heads up yet again, Bob. Many thanks. But isn't it about time the perpetrators of all this misery receive salutary justice if and when caught? The harm, time and expense they cause seems to me to be completely out of sync with the sentences passed down. I don't care if it's a mafia boss or a pimply school kid, the damage is the same. We have to put a stop to all this nonsense.

EDITOR'S NOTE: Sometimes they are identified, but usually these miscreants are hiding in countries that do not cooperate with law enforcement from other countries. For a case in point, see http://askbobrankin.com/gameover_and_cryptolocker_busted.html for the story of Evgeniy Mikhailovich Bogachev. My guess is that he'll stay comfortable in his lair as long as he continues to grease the palms of his accomplices in the government.


Posted by:

Barry Vincent
19 Jul 2014

What's the name of that guy who's predicted that in the near future there will be no internet because of this ongoing problem with cyber space crime. He/she could be right.


Posted by:

arizona
20 Jul 2014

well, it makes me even more glad that i am careful as to where i go and what i click on. last thing i need is to get this since i use my pc for online banking. thanks a bunch bob!


Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! And please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are previewed, and may be edited before posting.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
RSS   Add to My Yahoo!   Feedburner Feed
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy -- See my profile on Google.


Article information: AskBobRankin -- Pandemiya: The New Trojan Horse (Posted: 10 Jul 2014)
Source: https://askbobrankin.com/pandemiya_the_new_trojan_horse.html
Copyright © 2005 - Bob Rankin - All Rights Reserved