Pandemiya is a new commercial Trojan malware application that has recently been promoted in underground forums as an alternative to more widely used Zeus Trojan and its variants. The fraudsters behind Pandemiya are currently advertising it for sale at a price of $1500 USD for the core application, or $2000 USD for the core application including plugins for additional functionality.
Pandemiya is designed to enable a botmaster to spy on an infected computer – secretly stealing form data, login credentials and files from the victim, as well as taking snapshots of the victim’s computer screen. This malware also allows the injection of fake pages into an internet browser in an effort to gather additional sensitive information from the victims themselves.
Like many of the other Trojans we’ve seen of late, Pandemiya includes protective measures to encrypt the communication with the control panel, and prevent detection by automated network analyzers. An interesting aspect of the application is its modular design, which makes it quite easy to expand and add functionality.
Pandemiya’s coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel/Ice IX, etc. Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C.
- Injects for the 3 leading internet browsers
- Grabbers for the 3 leading internet browsers
- File Grabber
- Loader (unique tasks & statistics)
- Signing of the botnet files to protect them from being hijacked by other fraudsters, and from being analyzed by security analysts or law enforcement.
- Encrypted communication with the panel (dynamic content + URI – never the same request / data – a kind of bulletproofing against network analyzers)
Additional Features (via plugins):
- Reverse Proxy
- FTP Stealer (with combination of an internal iFramer)
- PE infector (for startup)
Experimental Plugins (soon to be released/ integrated):
- Reverse hidden RDP
- Facebook spreader
Pandemiya will hook the following functions, depending on the process in which it is running: HttpAddRequestHeaders ,HttpQueryIn, HttpSendRequest, InternetConnect, InternetQueryDataAvailable, InternetReadFile, InternetReadFileEx, LoadLibrary, PR_Close, PR_Read, PR_Write, WSARecv, WSASend and closesocket.
The following are the main features offered by Pandemiya:
- Stealing HTTP Form Data and Logins — Pandemiya can use these hooks in a web browser process, to gain access to all browser traffic and can steal HTTP form data just like other known form grabbers. The Trojan also steals username and password combinations that are entered in HTTP basic authentication dialogs (HTTP 401 pages).
- Screen Capture and File Stealing — The newest version of the Trojan features a screenshot taking capability, as well as file search and a compression function for stealing files from the infected system.
- Modularity — Pandemiya has the ability to load external plugin DLLs, making the Trojan modular, allowing new features to be added by simply writing/creating new DLLs. This allows operators of the malware and other developers to create plugins that expand the application’s range of capabilities.
Infection and Installation
As is typical with commercial Trojans, the infection and installation method is left up to the operator. Quite commonly, the infection uses an exploit pack that generates a drive-by exploit page that infects a PC the minute it lands on the web page.
The Pandemiya installer is a single *.EXE file that executes the following actions on the victim PC:
- Moves itself to the All Users/Application Data user folder under a random name.
- Adds a link to run the installer upon system start, using a new value in the registry key:
- Places a DLL with a random name into: C:WindowsSystem32
This DLL contains the full Trojan application.
- Adds a registry value linking to the DLL inside the registry key:
That last step uses a not-so-well documented Windows security function – Windows will make every process run through the CreateProcess API, and load all of the DLLs under this registry key. Pandemiya makes use of this to inject itself into every new process that is initiated.
The screenshot below is an example of how the Trojan writes the DLL to a file, loads it, and immediately calls the exported function named PluginRegisterCallbacks.
As a resilience measure, the Trojan DLL makes sure that Explorer.exe is injected with its code and re-injects itself when needed. This check is done every time the DLL is loaded, in other words – whenever a new process is initiated.
System32 directory containing the new DLL created by Pandemiya
Note that the modification/creation date of this DLL is different from the date of all other DLLs in the System32 directory.
Removal of the Pandemiya application is fairly simple:
- Locate the registry key
and identify the *.EXE filename in your user’s ‘Application Data’ folder.
Note the name, and delete the registry value.
- Locate the registry key
Find the value with the same name as the *.EXE file in the previous step.
Note the file name, and remove the value from the registry.
- Reboot the system. At this stage Pandemiya is installed but no longer running.
- Delete both files noted earlier. This will remove the last traces of the Trojan.
The system is now clean.
Example of the Pandemiya admin panel – updating the configuration
Communication is performed through HTTP GET and HTTP POST requests. It also appears that the data is encrypted using a simple algorithm.
A special user-agent was observed to be in use by the Trojan application: Hello 2.0
The advent of a freshly coded new Trojan malware application is not too common in the underground. The design choice to make this malware modular and easy to expand upon with DLL plugins could make it more pervasive in the near future. However, the relatively high entry price or the anonymity of this application have so far prevented it from wide distribution. Only time will tell if its popularity rises. We’ll be keeping an eye on its development.
 Dynamic-link libraries – the functional core elements of the Windows operating system.