In 2011, the source code for a popular malicious program known as Zeus was leaked to the Internet, and since then, many malware developers have used the Zeus code as the blueprint on which to base their malicious programs.
Now, a lone developer appears to be creating his own remote-access program to compete with the mass of Zeus-based Trojans, according to researchers at RSA, the security division of storage giant EMC. The Trojan, dubbed Pandemiya, has been advertised in certain cyber-criminal forums online, and RSA researchers were able to get a copy of the program, according to an analysis published June 10.
The Trojan has similar functionality to Zeus, but a completely different code base and, at approximately 100KB, is quite small, Daniel T. Cohen, head of knowledge delivery with RSA FraudAction, told eWEEK.
“The interesting thing here is that this is not Zeus, so it is not going to be easily fingerprinted,” he said. “This is new code that now has to be learned and recognized and blocked.”
Underground developers have often based their creations on other popular malware by using source code leaked to the Internet. While Zeus may be the most popular current example of cribbing code, the popular iBanking Trojan for Android mobile phones and tablets has also leaked online, leading security experts to speculate that the program could spawn a great number of variants.
“The source code for iBanking was leaked following a bizarre series of events in which a hacker went on an attacking spree as part of a quest to retrieve 65,000 stolen Bitcoins,” Symantec said in a May 2014 analysis of the Android Trojan.
The developer behind Pandemiya began advertising it for sale in February at $1,500 for the basic application, or $2,000 for a package including the application and additional plug-ins. The developer, who appears to be working on the project by himself, spent nearly a year coding the software, which totals 25,000 lines of C code, the RSA analysis stated.
“This guy who is coding the malware—he is not out to steal money or grab credentials for bank accounts,” Cohen said. Yet Pandemiya is modular, so other programmers can offer additional functionality, he said. “We expect other fraudsters to provide injection packs and other functionality that could turn this into a larger threat.”
Pandemiya has features typical of information-stealing Trojans, including the ability to steal data from Web forms, inject HTML page elements and JavaScript into the three major browsers, and basic encrypted communications.