Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pandemiya: Entirely new trojan quietly wheeled into black hat forums


  • Please log in to reply
29 replies to this topic

#1 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,484 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:59 PM

Posted 16 June 2014 - 06:43 PM

Pandemiya: Entirely new trojan quietly wheeled into black hat forums

...RSA researcher Eli Marcus says the "Pandemiya" trojan comprises about 25,000 lines of fresh code. With most malware based on proven platforms, entirely new code is a rarity.

Pandemiya is nasty: it can steal data from forms, create fake web pages and take screen shots to send back to the botmasters who deploy it.

The software is modular and pervasive, and unique thanks to its ability to inject itself into all new processes via the Windows security registry function CreateProcess API... Like other trojans, Pandemiya is foisted on machines through exploit kits and drive-by infections that target vulnerabilities in buggy wares such as Java, Silverlight and Flash.


.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

BC AdBot (Login to Remove)

 


#2 Stolen

Stolen

  • Members
  • 669 posts
  • OFFLINE
  •  
  • Gender:Female
  • Local time:03:59 PM

Posted 16 June 2014 - 10:22 PM

Pricey - it is being sold on underground forums for as much as $2,000.00.  

 

Two more links here and here

 

From the 2nd link -

 

“Pandemiya is designed to enable a botmaster to spy on an infected computer – secretly stealing form data, login credentials and files from the victim, as well as taking snapshots of the victim’s computer screen. This malware also allows the injection of fake pages into an internet browser in an effort to gather additional sensitive information from the victims themselves.”

 

TY quietman7



#3 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:59 AM

Posted 16 June 2014 - 11:23 PM

 

Averaging around $1,500 to $2,000 per license

Like hackers care about the price, Its not their money they will use to pay for it. Give it a few weeks and you may find cracked versions.


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#4 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,015 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:59 PM

Posted 17 June 2014 - 12:11 AM

Can this be pulled off against a Linux based OS, such as Mint?

 

I've read the articles listed, there's a link within that shows the location of the infection. Guess I have some work to do in checking my Windows OS's out. 

 

https://blogs.rsa.com/new-pandemiya-trojan-emerges-alternative-zeus-based-variants/

 

All of this is driving me towards moving off of Windows altogether. Yes security scans can be ran, however many times it's best to scan a suspected infected OS from another computer or if dual booting, from that OS, to increase removal success. Am already using Linux for all transactions, using Windows only for forum participation & browsing. 

 

It's a crying shame, given all of the cash that I have tied up in security software & Windows itself (multiple Windows & Office licenses), yet it appears as though that cash may as well have been thrown into the wind. 

 

And is another reason why I've been stating since before the release of Windows 8, that Windows needs to be rewritten from scratch, rather than be built on top of previous versions. These crooks knows the inner workings of the Windows OS & it's flaws, as well as how to make security see these as legit. It takes someone of above average intelligence to pull something of this nature off, not some young kid doing this for bragging rights. 

 

Threats are bad enough as it is, now there's those actively selling the software for use? There will be those who sees this $2,000 as the best investment ever made, may even use a credit card to obtain the funding for the return it offers, all of the personal credentials that can be gathered, 

 

Cat


Edited by cat1092, 17 June 2014 - 12:21 AM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#5 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:59 PM

Posted 17 June 2014 - 07:50 AM

Hi,

since there is talk about registry and windows API for the loading point of the malware I would highly doubt that it can do anything on Linux. The folders are also all windows specific.

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#6 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:59 AM

Posted 17 June 2014 - 07:59 AM

 

since there is talk about registry and windows API for the loading point of the malware I would highly doubt that it can do anything on Linux. The folders are also all windows specific.

People using Wine may need to be carefull.


Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#7 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,015 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:59 PM

Posted 17 June 2014 - 12:31 PM

myrti, thanks for your input on this topic! :thumbup2:

 

At least we know where safer ground is & it's not on Windows. Regardless of the version, be it Windows XP or 8.1 Update 1, it's scan, scan & scan. On my main two Windows installs, there are security tools that's set to perform auto Full scans at different times of the day. In order for any not to clash heads, if a scan is missed, other than MBAM's hyper scan, I just let it run the next time, skipping missed tasks.

 

 

People using Wine may need to be carefull.

I tried that Wine app on one Mint install, only to see the how it had improved since 2-3 years ago, It has, however after testing, removed the software from the install.

 

Being that I'm not locked into using MS Office, nor am dependent on much anything of significance on Windows, there is no need for Wine on my trusted Linux Mint installs.

 

The threat that the topic is about is a very serious one & cannot be taken with a grain of salt. The providers of Windows security should by now be informed of the threat & hopefully will be able to adequately respond to any attempts to inject this code into protected computers.

 

Thanks to quietman7 for alerting us to this. :thumbup2: and,,,

 

Thanks to Stolen for providing the additional information which leads to hunting it down. :)

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#8 Wolverine 7

Wolverine 7

  • Members
  • 746 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bournemouth,UK
  • Local time:08:59 PM

Posted 17 June 2014 - 06:33 PM

And is another reason why I've been stating since before the release of Windows 8, that Windows needs to be rewritten from scratch, rather than be built on top of previous versions. These crooks knows the inner workings of the Windows OS & it's flaws, as well as how to make security see these as legit. It takes someone of above average intelligence to pull something of this nature off, not some young kid doing this for bragging rights.

 

Ditto,id have more to say about it if i was a better coder myself but the win malware stuff is becoming a real hassle allover.I rely on a regime of loads of different scanners run fairly consistently every now and then and regular backups,and im currently only using small systems...i really like Linux but a lot of apps i use wont run on it.

 

As you say with a rebuild,their must be a way to protect the registry without cripling functionality.Then again can we really expect MS to shell out the cash for that kind of developement.


Edited by Wolverine 7, 17 June 2014 - 06:35 PM.


#9 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 7,015 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:04:59 PM

Posted 17 June 2014 - 07:56 PM

That would be a major challenge, to rebuild Windows to be more secure & protect the registry, however would be worth it.

 

Not that they haven't thrown cash into the wind before, look at the reception of Windows 8. There's no telling how much funding went into that project & going by most any usage figures one can find, after nearly 20 months after release, yet XP is still more popular. Twice as much so as Windows 8 & 8.1 combined.

 

http://www.netmarketshare.com/operating-system-market-share.aspx?qprid=11&qpcustomb=0

 

Windows 7 share is still rising w/out MS spending anything on advertising the OS, they're determined to push 8.1 down our throats, whether or not we want the product.

 

MS needs to be throwing some of that cash to make sure that the next Windows, as well as any future SP's to 7 & 8.1, is more secure than ever. The last time they successfully pushed a pack of security features & was well received was almost 10 years ago, on 08/25/2004, in the form of XP SP2. Much security was added, performance enhancements also & popularity skyrocketed afterwards for the still #2 OS on the planet. 

 

Of course, that was then & this is now, it's time for MS to pull off another similar feat. Windows needs to be more secure for it's customers to retain market share. There are signs that Windows has major issues on the security front, one needs to do no more than refresh the View New Content tab to see that half or more of the latest posts are security related.

 

Should this Pandemiya threat become widespread we're going to have a mess on our hands, plus there will be others "stealing" that technology to write their modified version, as Nick posted above.

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#10 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:59 PM

Posted 18 June 2014 - 03:56 AM

Hi,

Should this Pandemiya threat become widespread we're going to have a mess on our hands, plus there will be others "stealing" that technology to write their modified version, as Nick posted above.


To maybe clarify things a bit the "unique" and "new" thing about this infection is that someone went to the trouble of rewriting everything from scratch instead of "adapting" the Zeus source code to get to the same result.
Neither the attack vector, nor the way it injects itself or the payload of the trojan are new. They are all quite well-known. In particular the AppCertDlls entry used to inject the dll into every process has been abused for about 5 years now and is routinely scanned and checked by most if not all AV scanners.

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#11 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:59 AM

Posted 18 June 2014 - 04:41 AM

 

As you say with a rebuild,their must be a way to protect the registry without cripling functionality.

Linux has done it in a way with root and limited accounts, Oh hang on hasn't Windows got something similar? UAC Not run as admin?

 

Just a warning to Linux users who use Wine, Should you get infected in Wine, While it may not affect your Linux system, It will infect Wine, and there is malware out there that can call up Linux functions and then do funky stuff. I am told its rare but it can be done. . And as people become more aware of Linux it will be targeted, Sadly it's only a matter of time and when it hit's it will hit the Linux community hard because like me most are a bit arrogant when it comes to security, If a malware say a trojan hit Linux tomorrow there is no way we would know Maybe for Weeks., Most of the Linux community uses NO anti virus software at all. Say one of these silent install run in the background things that spy on you, On my system and on most Linux set ups you wouldn't notice anything as most of our PC's are so fast. No disrespect to any other OS intended.

 

PS.

I have Clam Av installed but sadly have not scanned anything in 6 1/2 months. :blush:

 

PPS.

I am not even logged into Linux atm just running as guest. Good luck installing anything without root. :hysterical:


Edited by NickAu1, 18 June 2014 - 04:50 AM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#12 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:59 PM

Posted 18 June 2014 - 05:02 AM

Wine is not Windows... Wine has a very limited capability of features implemented and most malware will simply fail to run when executed on Wine. I'm fairly sure the appcertsdll key and its features are part of the things that are not implemented into Wine.
In addition you need to be aware that a windows executable can not do calls to Linux functions, it would need to go through Wine to do this and either find and exploit a vulnerability in Wine or just drop a file somewhere and hope that someone will execute it in the future.
As long as the user-group "linux users" is too small to be a viable target for malware authors you can be sure that the user-group "linux users that use Wine" is not even noticed.

It's not just the infection itself that would need to be Wine compatible, for starters you would need to be surfing with a browser running through wine, then you would need to have something installed in the browser that's vulnerable and the vulnerability would need to be functional even with Wine's limited implementation. If all of that is the case, then you can go ahead and drop the malware. Now the malware needs to be fully compatible with wine too. The chance of all of this happening is incredibly remote as anyone who has tried to use Wine will know. Besides the approved programs on the list at wine-hq, there's very little that actually runs on Wine out of the box.

, If a malware say a trojan hit Linux tomorrow there is no way we would know,

This is just not true... Last year Mac got hit by a number of malware (including trojans) designed specfically for Apple. They also didn't run AVs before that, yet it was almost instantly known.
 

If a malware say a trojan hit Linux tomorrow there is no way we would know, Most of the Linux community uses NO anti virus software at all.

This would be the same if there was an anti virus.. There are no detection rules for malware on linux because there is no malware so far. There is also no behavioral detection because for that to exist you need to know some typical behaviour in the first place.. As there is none, no behaviour can be predicted.
 

Say one of these silent install run in the background things that spy on you

Silent installs on linux are much harder than on Windows.. You can't just disable the AdminPrompt or have someone click on a window without knowing what it really is.. You need to enter the password of the admin account (which is usually going to be the one of your account as well).
In addition you don't need "just" the malware you also need a way of deploying it. You need a vulnerability and a working exploit for it... Something that is quite hard to find.
 

On my system and on most Linux set ups you wouldn't notice anything as most of our PC's are so fast.

Yes. But you would notice constant outgoing connections and traffic to sites you are not visiting. Ubuntu has the iptables-firewall installed by default, though what you make out of it is your decision.

Yes, right now the linux end-user is little targetted and can live its life without worry and protection. But when the day comes, there will be a lot of buzz and with that buzz will come the protection.. The OS will be updated to close the vulnerability to which the infection crept in and there will be a ton of tools at your disposal to protect yourself against it.. Most of them will be unnecessary, but if you want you can add anti virus over anti malware over firewall.

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#13 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:59 AM

Posted 18 June 2014 - 05:16 AM

 

Yes. But you would notice constant outgoing connections and traffic to sites you are not visiting. Ubuntu has the iptables-firewall installed by default, though what you make out of it is your decision.

I never look. If I do not run conky with a in out connection meter I have never bothered to look. While I am aware of what malware can do to Windows there is really not much on Linux malware out there and in some Linux forums they almost laugh at you if you suggest linux viruses.

 

 

and there is malware out there that can call up Linux functions and then do funky stuff

I read this on a Linux forum, that it would have to be specially crafted, Then again those same people wanted a guy who had Homeland Security Ransomware to toss out his HDD and buy a new HDD and flash the bios because there was no way of being sure you cleaned everything up.


Edited by NickAu1, 18 June 2014 - 07:02 AM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!


#14 myrti

myrti

    Sillyberry


  • Malware Study Hall Admin
  • 33,771 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:At home
  • Local time:10:59 PM

Posted 18 June 2014 - 06:05 AM

Hi,

it's not impossible for a custom mode malware targetting a specific PC to have something like that, but it's highly unlikely that a malware will ever do this.

I ended up finding the summary about virus' on wine I was looking for:

http://archive09.linux.com/articles/42031

It's a bit old, but it's an entertaining read and gives you a good idea of how dangerous, if you choose to run malware on it.

regards
myrti

is that a bird?  a plane? nooo it's the flying blueberry!

If I have been helping you and haven't replied in 2 days, feel free to shoot me a PM! Please don't send help request via PM, unless I am already helping you. Use the forums!

 

Follow BleepingComputer on: Facebook | Twitter | Google+


#15 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 13,254 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:06:59 AM

Posted 18 June 2014 - 06:20 AM

Thank you myrti for  the detailed information and explanations also in  in pm. Much respect for you. :graduate:


Edited by NickAu1, 18 June 2014 - 07:02 AM.

Arch Linux .
 
 Come join the fun, chat to Bleeping computer members and staff in real time on Discord.
 
The BleepingComputer Official Discord Chat Server!





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users