New Malware Pandemiya Comes with 25k Lines of New Code

Nothing makes a Friday fun like hearing about a brand new form of Malware. Well that is what we have for you on today. It seems that an RSA researcher was picking around the darker places on the Internet and stumbled upon a new bit of malware that, if real, could be a serious problem in the near future. RSA researcher Eli Marcus is calling the new malware Pandemiya and claims that it is 25,000 lines of previously unused code.

In the last few years there has been few truly new Trojans or malware released. Most it (it not all) is based on another platform or a new twist on existing malware. This gives the best bang for the buck as there is no need to develop from the ground up. The problem with this approach is that the good guys know most of the platforms out there and can quickly ID and stop refreshed malware when it follows this pattern. Creating something new that uses a new method of infection throws a wrench into that plan.

According to Marcus, Pandemiya can make use of the CreateProcess API which allows it to register itself as a new process through the Windows security registry (like malware judo) so every new process is infected. We saw a similar tactic used to get by Microsoft’s Enhanced Mitigation Tool Kit earlier this year. It follows the standard infection path of most malware (drive-by, exploit kit) so at least there is nothing new there.

As for day to day usage, well Pandemiya follows the pattern you might expect. It can steal your passwords, data, etc. It talks back to C&C (Command and Control) servers over encrypted channels, can spawn fake pages, take screen shots of your screen, and it can “sign” the bots in its network to prevent them from being compromised by others (Law Enforcement or other bad guys).  

To make things extra special the developer decided to let you apply plug-ins to added features (these guys really are industrious). If you want you can add nice features like a reverse proxy, FTP stealer, PE Infector, on top of all that it looks like there is even a plug-in to spread via Facebook.

Fortunately for all of us this newly minted bit of malware is not in widespread use as the developer appears to be relatively unknown (according to Marcus) and is also ask for quite a bit for access. The going rate is $1500 for the core app and $2,000 for the ability to add plug-ins. It also appears that removal is not terribly complicated at this point. This could change as Pandemiya matures and proves itself. We could see this new malware platform take over for Zeus and a few other platforms that are out there.

Tell us what you think in our Forum

No comments

Leave your comment

In reply to Some User