Banking Malware: New Challenger to Zeus? Pandemiya Trojan Could Invigorate Commercial Malware Market
Daniel Cohen of RSA

The developer behind a new banking Trojan is making an unusual offer: Discerning fraudsters can purchase his financial malware toolkit for just $1,500 - or $2,000 with all bells and whistles included.

See Also: Software Defined Security: Navigating the New Security Model

So goes the pitch for "Pandemiya," a new financial crimeware offering from a developer known as "Synthetic," which is notable for having been coded completely from scratch. But the malware is less remarkable for its technical capabilities than for the fact that it's being offered for sale by its developer as a standalone crimeware pack product. By comparison, other products are either available for free - most are based on the leaked Zeus source code - or can only be rented via subscription services.

"There is no commercial malware," Daniel Cohen, a fraud expert at RSA, tells Information Security Media Group. "Back in the days of Zeus - 2010, 2011 - there was commercial malware. So, [Synthetic] might be trying to fill that void, by offering service and support, expansion modules and everything that goes with commercial malware."

Pandemiya offers a number of must-have financial malware features, including Web injection capabilities for three different browsers - meaning attackers can interact with banking websites when a user is logged in, but present an interface that obscures malicious activities - plus password-grabbers, task automation, a file grabber, encrypted command-and-control (a.k.a. C&C, C2) communications, and the ability to capture screen grabs. Malware generated using the crimeware package can also be signed, to help prevent it from being hijacked by other fraudsters, or analyzed by information security experts or law enforcement agencies.

For $500 more, however, Synthetic also offers a PE infector to execute malicious routines when an infected Windows system starts up, as well as a reverse proxy and FTP credential stealer.

Commercial Malware: Untapped Market

Given all of the talk of banking malware today, it might sound surprising that very little of it is being offered for direct sale, for example as a consumer might purchase a copy of Microsoft Word or Excel from Amazon.com, albeit in this case more likely from the Russian-speaking hacking underground site that accepts payment online in bitcoins or some other cryptocurrency.

In part, that's because the market has been flooded with clones. "Because there were so many derivatives of Zeus, and so widely available - even free or close to free - some people were just taking what they could get and running with that," says Cohen.

Trace the decline in commercial malware, too, to top crimeware kit developers having been arrested, including the alleged Blackhole mastermind "Paunch" and the developer behind SpyEye. Also factor in ongoing botnet takedowns (see Cryptolocker/Gameover takedown).

2012: Citadel Heyday

In fact, there have been few new-malware success stories in the past couple of years. One exception is the malware-as-a-service offering Citadel, for which business boomed throughout 2012. By the end of that year, however, the gang behind Citadel went quiet, stopped offering support, and ended up being banned from the single forum on which it was being offered.

"But we're still seeing the development of Citadel, new versions coming out, so it's safe to say the team is hard at work developing Citadel, but they're not so much selling it commercially," says Cohen. Instead, it's more likely that Citadel's developers are running their own attacks, and thus keeping their entire operation in-house, which makes it harder for law enforcement agencies to infiltrate or disrupt. Security researchers have also seen signs of the Citadel gang loaning their attack infrastructure to other cybercrime gangs.

2013: Linux Malware Dud

Since Citadel, however, little has changed on the banking malware front. According to Cohen, "2013 was really the year of 'Teenage Mutant Ninja Trojans,' we saw a lot of teenage stuff, script-kiddy stuff trying to happen - like Hand of Thief, which was banking malware that was supposed to target Linux operating systems, and that was a dud."

Many lightweight remote-access tools also got dressed up as crimeware, he says. "We saw a lot of stealers, like the Pony stealer, which is a very basic piece of software that steals the URL you're visiting, along with the user name and password."

One-Week Attack: Luuuk

Still, barely a day goes by now without at least one security vendor issuing a warning about the latest potential banking malware threat. And to be fair, many of them are quite effective at separating consumers from their savings. (See: Malware: How to Prioritize the Alerts.)

On June 25, for example, Kaspersky Lab detailed Luuuk, a campaign, named for a server address found in the malicious infrastructure, that successfully stole more than 500,000 euros (about $680,000) from victims in Italy and Turkey who were the customers of a single bank, which hasn't been named. Kaspersky Lab says the attack began around Jan. 13, 2014, and the security firm discovered it a week later. Just 48 hours after that, though, attackers appeared to have shut down the campaign.

Attackers employed unknown malware to launch "man in the browser" techniques, which refers to Web injection attacks that allow attackers to transfer money out of a customer's account while they're logged in, while hiding that activity from the account holder. "[These] kind of injections are very common in all the variations of Zeus - Citadel, SpyEye, IceIX, etc. - and all of these are well-known in Italy," says Kaspersky Lab. Whatever malware variant used likely was likely "also capable of performing automatic transactions to preset money mule accounts."

The money transfer, in other words, was just the first part of the attack, since the gang needed to cash out the funds before authorities could find or freeze attackers' accounts. Accordingly, the money would have been withdrawn quickly by money mules, then shared with the gang behind the attacks.

Why Zeus Still Dominates

Beyond Luuuk, this year security researchers also spotted Qadars, which is a merger of Zeus plus Carberp, which was released in 2013. "Carberp was a very advanced piece of malware, and Qadars is taking Zeus to the next level," says Cohen.

For comparison's sake, however, Pandemiya and Qadars so far are only blips in the broader banking malware landscape. "For some perspective, we're analyzing about 400,000 binaries per week, and of that malware, about 92 percent is Zeus or Zeus-based," Cohen says. According to the Zeus Tracker, as of June 30, there were 1,149 known Zeus C&C servers being tracked. Meanwhile, only about 40 percent of Zeus malware was being detected by antivirus products, which is a selling point for fraudsters seeking a free crimeware toolkit.

Global Zeus Infections


Source: abuse.ch Zeus Tracker

Zeus, in other words, won't disappear anytime soon, says Cohen. "We might see more unique Trojans being developed, like Pandemiya, but the bottom line is committing cyber crime continues to remain really easy - and that's the challenge we're going to continue to see."


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.





Around the Network