RSA researchers discover new alternative to Zeus

The modular Trojan is being offered to criminals as an alternative to Zeus

serverskulls header
Credit: Jen Anderson

Researchers from RSA's Fraud Team have discovered a new Trojan that's being offered to criminals as an alternative to Zeus. The modular kit, called Pandemiya, goes for $1,500 USD for the core application.

An extra $500 USD will get the core application as well as its plugins, which include a reverse proxy, FTP stealer, and PE infector (for system startup).

Unlike similar offerings, this new tool for criminals doesn't recycle any of the previously leaked Zeus code. RSA says that the developer behind it spent more than a year creating it, and it consists of more than 25,000 lines of original code in C.

The core function of the malware is data theft, as it's designed to steal information from an infected system, including login credentials and files. It can also take screen captures of the victim's system and inject content into the victim's browser.

Furthermore, it includes protective measures that help avoid detection. One of the protections offered by Pandemiya's author is the signing the botnet files, which will keep it from being hijacked by other criminals, as well as protect it from being analyzed by researchers and law enforcement.

Pandemiya also has an experimental feature that promises an infection vector via Facebook, but RSA's researchers didn't say if this actually works. If it does, then it's probable that there could be a revival of Koobface-like infections should Pandemiya takeoff.

A second experimental feature is a reverse hidden RDP module, but like the Facebook module, it isn't clear if this actually works.

As far as sales go, it isn't clear how many copies of the Trojan have been purchased, but criminals are likely to use a new alternative Zeus if it's proven to work. However, RSA speculates that criminals are holding off on leveraging the new Trojan due to its high cost.

Should it start to sell in higher volumes, Pandemiya could become the main payload for crime kits going forward, which is the usual infection vector for commercial Trojans.

"The advent of a freshly coded new Trojan malware application is not too common in the underground. The design choice to make this malware modular and easy to expand upon with DLL plugins could make it more pervasive in the near future," explained RSA's Eli Marcus.

"However, the relatively high entry price or the anonymity of this application have so far prevented it from wide distribution. Only time will tell if its popularity rises. We’ll be keeping an eye on its development."

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.