Pandemiya: The New Trojan Horse
A new Trojan Horse malware program appears to be written entirely from scratch, a rarity in the malware trade and a special cause for concern among security researchers, anti-malware developers, and end-users. Here's what you should know…
Researchers at RSA Security discovered the new “Pandemiya” program while trolling hacker forums for clues of what the bad guys are up to. According to RSA's Eli Marcus, Pandemiya contains over 25,000 lines of fresh code, and is intended to be an alternative to the Zeus botnet platform that enslaved several hundred thousand PCs worldwide.
Pandemiya infects victims mainly through drive-by downloads delivered by exploit kits, an increasingly popular channel among cybercrooks because it works so well. I wrote about this recently in How NOT to Get Exploited. It takes almost no technical expertise to set up an exploit kit on a bogus Web site offering fake security freeware. Unwitting visitors have their systems "scanned for vulnerabilities" while selected malware is downloaded and installed on their machines without their knowledge.
Boom! Your computer is now a zombie soldier in a botnet. Its resources will be combined with those of other slave machines to launch massive Distributed Denial of Service attacks; send gigabytes of spam; and perform other illicit tasks for the botmaster. But that’s not all; Pandemiya also raids the PC it has enslaved.
Pandemiya monitors its host’s input/output streams looking for login credentials for financial accounts. It scans for Social Security Numbers, credit card details, bank account info, and other data useful to identity thieves. All of the useful things it finds are transmitted to the botmaster for packaging and resale to other cybercrooks.
An “interesting” feature of Pandemiya is its modular design, which makes it easier to enhance with add-on programs written by third parties. Like many modern malware programs, Pandemiya uses encryption and obscuration techniques to hide its presence and activities from anti-malware programs, network analyzers, and other countermeasures. It’s pretty sophisticated stuff!
Pandemiya is one of those infuriating malwares that rises from the dead. Its core code hides itself well, infecting various Windows components with subprograms that do the dirty work. The core code continually refreshes its subprograms, so if one is excised by your security software, it will be restored on your next reboot or restarting of the infected Windows component.
RSA learned that Pandemiya is being sold for $1,500 in its basic form; another $2,000 enables plug-ins from third parties that enhance its evil powers. A Facebook attack module is reportedly in the works.
How to Remove Pandemiya
Fortunately, Pandemiya can be removed with some delicate but straightforward registry editing and command-line system modification. I expect that anti-malware developers are updating their products to detect and eliminate Pandemiya very quickly. Users should pay special attention to keeping updates current.
According to VirusTotal, most popular antivirus programs are detecting Pandemiya as a malicious entity. (Note that the green circles with check marks indicate that the tool did NOT flag the file as malicious.)
Norton's free Power Eraser is one tool that claims to eliminate Pandemiya and other "deeply embedded and difficult to remove crimeware." It's an on-demand scanner, so you can use it without any worries about it conflicting with currently installed anti-virus software. The docs for this program mention that it's an aggressive tool, and can remove things that aren't necessarily harmful.
When I tested it, it identified an old audio driver as potentially harmful (it's not) and also flagged some registry items for Google Update and Google Chrome autostart that are safe. So my advice is to make a restore point before running it, and closely examine the items that it recommends for fixing or removal.
In the never-ending battle between white and black hats, Pandemiya is a game-changer because it is new, and not just a variation of older malware. That makes it more successful as long as it’s unknown to anti-malware developers. Now that the cat’s out of the bag, Pandemiya can be beaten as other known threats have been.
Your thoughts on this topic are welcome. Post your comment or question below…
This article was posted by Bob Rankin on 10 Jul 2014
|For Fun: Buy Bob a Snickers.|
Geekly Update - 9 July 2014
The Top Twenty
Old Androids Never Die, They Just Become Bots
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005
- Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Pandemiya: The New Trojan Horse (Posted: 10 Jul 2014)
Copyright © 2005 - Bob Rankin - All Rights Reserved