{"id":623,"date":"2014-06-13T14:46:56","date_gmt":"2014-06-13T18:46:56","guid":{"rendered":"http:\/\/www.ccrepairservices.com\/blog\/?p=623"},"modified":"2014-06-27T14:42:22","modified_gmt":"2014-06-27T18:42:22","slug":"zeus-trojan-or-zbot-trojan-steals-confidential-information-from-the-infected-computer","status":"publish","type":"post","link":"https:\/\/www.ccrepairservices.com\/blog\/virus-and-malware-threats\/zeus-trojan-or-zbot-trojan-steals-confidential-information-from-the-infected-computer\/","title":{"rendered":"Zeus Trojan (or Zbot Trojan)  steals confidential information from the infected computer."},"content":{"rendered":"<div id=\"aim18865682943804752251\">\n<div dir=\"ltr\" style=\"text-align: left;\">\n<div dir=\"ltr\" style=\"text-align: left;\">\n<div style=\"text-align: justify;\">\n<div class=\"separator\" style=\"clear: both; text-align: center;\"><img decoding=\"async\" title=\"Pandemiya hacking trojan\" src=\"https:\/\/3.bp.blogspot.com\/--1nXT5aq900\/U5sNnXW0jjI\/AAAAAAAAASg\/Z8bXOAZURks\/s728\/Pandemiya-hacking-trojan.jpg\" alt=\"Pandemiya hacking trojan\" border=\"0\" \/>\n<\/div>\n<p>A new and relatively rare <span style=\"text-decoration: underline;\"><strong>Zeus Trojan<\/strong><\/span>\u00a0program was found which is totally different from other banking Trojans and has capability to secretly steal data from forms, login credentials and files from the victim as well as can create fake web pages and take screenshots of victim&#8217;s computer.<\/p>\n<div style=\"text-align: justify;\">Researchers at RSA Security\u2019s FraudAction team have discovered this new and critical threat, dubbed as \u2018<b><i>Pandemiya<\/i><\/b>\u2019, which is being offered to the cyber criminals in underground forums as an alternative to the infamous Zeus Trojan and its many variants, that is widely used by most of the cyber-criminals for years to steal banking information from consumers and companies.\n<\/div>\n<p>&nbsp;<\/p>\n<div style=\"text-align: justify;\">The source code of the Zeus banking Trojan is available on the underground forums from past few years, which lead malware developers to design more sophisticated variants of Zeus Trojan such as Citadel, Ice IX and <span style=\"text-decoration: underline;\">Gameover Zeus<\/span>.\n<\/div>\n<p>&nbsp;<\/p>\n<div style=\"text-align: justify;\">But, Pandemiya is something by far the most isolated and dangerous piece of malware as the author spent a year in writing the code for Pandemiya, which includes 25,000 lines of original code written in C.<br \/>\nLike other commercial Trojan, Pandemiya infect the machines through exploit kits and via drive-by download attacks to boost infection rate that exploit flaws in the vulnerable software such as <span style=\"text-decoration: underline;\">Java<\/span>, Silverlight and Flash within few seconds victim lands on the web page.<\/p>\n<blockquote><p>\n<i>Pandemiya\u2019s coding quality is quite interesting, and contrary to recent trends in malware development, it is not based on Zeus source code at all, unlike Citadel\/Ice IX, etc.,<\/i>\u201d researchers from RSA, the security division of EMC, said Tuesday in a blog post. \u201c<i class=\"wp-more-tag mce-wp-more\" title=\"Read More...\" data-wp-more=\"\" data-mce-resize=\"false\" data-mce-placeholder=\"1\">Through our research, we found out that the author of Pandemiya spent close to a year of coding the application, and that it consists of more than 25,000 lines of original code in C.<\/i><\/blockquote>\n<div style=\"text-align: justify;\">Pandemiya Trojan using Windows <i>CreateProcess API<\/i> to inject itself into every new process that is initiated, including Explorer.exe and re-injects itself when needed. Pandemiya is being sold for as much as <b><i>$2,000 USD <\/i><\/b>and provides all the nasty features including encrypted communication with command and control servers in an effort to evade detection.The Trojan has been designed with modular architecture to load more external plug-ins, which allows hackers to add extra features simply by writing new DLL (dynamic link library). The extra plug-ins easily add capabilities to the Trojan\u2019s core functionality, that\u2019s why the developer charge an <i><b>extra of $500 USD<\/b><\/i> to get the core application as well as its plugins, which allows cybercriminals to open reverse proxies on infected computers, to steal FTP credentials and to infect executable files in order to inject the malware at start up.<\/p>\n<\/div>\n<p>&nbsp;<\/p>\n<blockquote><p>The advent of a freshly coded new trojan malware application is not too common in the underground,&#8221; Marcus writes, adding that the modular approach in Pandemiya could make it \u201c<i>more pervasive in the near future.<\/i><\/blockquote>\n<\/div>\n<p>The malware developers are also working on other new features to add reverse Remote Desktop Protocol connections and a Facebook attack module in order to spread the Trojan through hijacked Facebook accounts.<\/p>\n<p><b>HOW TO REMOVE PANDEMIYA TROJAN<\/b><\/p>\n<div style=\"text-align: justify;\">\n<p>The Trojan can be easily removed with a little modification in the registry and command line action, as explained below:<\/p>\n<ol style=\"text-align: left;\">\n<ol style=\"text-align: left;\">\n<li>Locate the registry key <i>HKEY_LOCAL_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run <\/i>and identify the *.EXE filename in your user\u2019s \u2018<i>Application Data<\/i>\u2019 folder. Note the name, and delete the registry value.<\/li>\n<li>Locate the registry key <i>HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Control\\Session Manager\\AppCertDlls<\/i>. Find the value with the same name as the *.EXE file in the previous step. Note the file name, and remove the value from the registry.<\/li>\n<li>Reboot the system. At this stage Pandemiya is installed but no longer running. Delete both files noted earlier. This will remove the last traces of the Trojan. Your system is now clean.<\/li>\n<\/ol>\n<\/ol>\n<h2 style=\"text-align: center;\"><span style=\"color: #00ff00;\">Please Visit our <a href=\"https:\/\/www.ccrepairservices.com\/blog\">Computer News Website and Blog<\/a><\/span><\/h2>\n<h1 style=\"text-align: center;\"><span style=\"color: #ff6600;\"> for latest computer repair and online news.<\/span><\/h1>\n<h2 style=\"text-align: center;\"><span style=\"color: #993300;\">Local and Online Virus removal and computer repairs anytime, anywhere<\/span><\/h2>\n<p style=\"text-align: center;\">Fort Lauderdale, Miami, Boca Raton, Boynton Beach and all South Florida<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>A new and relatively rare Zeus Trojan\u00a0program was found which is totally different from other banking Trojans and has capability to secretly steal data from forms, login credentials and files from the victim as well as can create fake web pages and take screenshots of victim&#8217;s computer. Researchers at RSA Security\u2019s FraudAction team have discovered this new and critical threat, dubbed as \u2018Pandemiya\u2019, which is being offered to the cyber criminals in underground forums as an alternative to the infamous Zeus Trojan and its many variants, that is widely used by most of the cyber-criminals for years to steal banking information from consumers and companies. &nbsp; The source code of the Zeus banking Trojan is available on the underground forums from past few years, which lead malware developers to design more sophisticated variants of Zeus Trojan such as Citadel, Ice IX and Gameover Zeus. &nbsp; But, Pandemiya is something by far the most isolated and dangerous piece of malware as the author spent a year in writing the code for Pandemiya, which includes 25,000 lines of original code written in C. Like other commercial Trojan, Pandemiya infect the machines through exploit kits and via drive-by download attacks to boost infection [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[856,9,857,860,220,846,103,863,862,866,864,32,865,693,156,33,453,861,10,142,868,451,21,869,44,474,43,7,22,867,858,859],"class_list":["post-623","post","type-post","status-publish","format-standard","hentry","category-virus-and-malware-threats","tag-bank","tag-banking","tag-banking-troja","tag-banking-virus","tag-computer","tag-computer-infection","tag-computer-news-2","tag-computer-security","tag-computer-software","tag-computer-specialist","tag-diy","tag-fort-lauderdale","tag-free-trojan-removal","tag-local-virus-removal","tag-malware","tag-miami","tag-new-malware","tag-new-trojan","tag-new-virus","tag-new-viruses","tag-news-alert","tag-online-news","tag-online-virus","tag-romoval-of-virus","tag-rootkit","tag-south-florida","tag-trojan","tag-virus","tag-virus-removal","tag-virus-removal-expert","tag-zeus","tag-zeus-trojan"],"_links":{"self":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/623","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/comments?post=623"}],"version-history":[{"count":12,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/623\/revisions"}],"predecessor-version":[{"id":658,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/posts\/623\/revisions\/658"}],"wp:attachment":[{"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/media?parent=623"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/categories?post=623"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.ccrepairservices.com\/blog\/wp-json\/wp\/v2\/tags?post=623"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}