back to article Entirely new trojan quietly wheeled into black hat forums

An RSA researcher claims to have found an entirely new trojan during his trawls of the criminal underground. RSA researcher Eli Marcus says the "Pandemiya" trojan comprises about 25,000 lines of fresh code. With most malware based on proven platforms, entirely new code is a rarity. Pandemiya is nasty: it infects Windows PCs, …

COMMENTS

This topic is closed for new posts.
  1. Destroy All Monsters Silver badge
    Paris Hilton

    The software is modular and pervasive, and unique thanks to its ability to inject itself into all new processes via the Windows security registry function CreateProcess API

    I do not understand? Is fork() now considered a black art skill? Has it come to that?

    1. Anonymous Coward
      Anonymous Coward

      >"the Windows security registry function CreateProcess API"

      HOUSE!

      What, we aren't playing Buzzword Bingo? Because I can't see any other reason for stringing that many nouns together in a row. Windows has a registry, but there's no such thing as a security registry, and 'function' and 'API' are just pointlessly-doubled synonyms.

      In case anyone wants a non-mangled explanation, the linked post explains that it sets a registry key, AppCertDlls, which contains a list of DLLs that get injected into every process created (by the CreateProcess API). This is a Windows security function (designed for sysadmins to deploy DLLs into their administered machines that can white- or black-list executables according to e.g. site policy). However, you can't just pull out the highlighted words from that explanation, jumble them up randomly, and expect it to be a valid summary.

      As for it being 'unique', it's nothing of the sort, nor does the OP make that claim. It's been in use for a while by multiple viruses, and it's exactly the same as the KnownDlls technique, which has been around even longer (although IIRC MS has killed it in recent Windows.) One notable advantage of it is that, at least as recently as March last year (according to http://forum.sysinternals.com/bug-appcertdlls_topic29211.html), this key wasn't scanned by Sysinternals Autoruns. So there's an interesting thing.

      1. Destroy All Monsters Silver badge
        Paris Hilton

        Re: >"the Windows security registry function CreateProcess API"

        Very nice.

        I wonder how a downvote occurred? Did someone write a bot to randomly issue downvotes?

      2. AndrueC Silver badge

        Re: >"the Windows security registry function CreateProcess API"

        +1 because I was also wondering what the hell 'Windows security registry function CreateProcess API' was wittering on about. I thought this was some new hell foisted on us by MS.

  2. Juan Inamillion
    Happy

    Kudos

    "original password-pinching botnet badassery"

    Made my Friday.... Cheers!

  3. Scroticus Canis
    Trollface

    Ah, Windoze only malware ...

    ... makes us fanbois feel so validated!

    (OK I am going for the down vote record here, it's Friday who cares)

    1. Anonymous Coward
      Anonymous Coward

      Re: Ah, Windoze only malware ...

      Downvote? Why? We perfectly understand.

      Apple does not need external malware, it's designed-in, institutionalised, extortion :-)

      Happy week end

    2. Shrimpling
      FAIL

      Re: Ah, Windoze only malware ...

      Going for the Downvote record? You will have to try harder than that.

      Check the top post in this comment section for a good example on getting the downvotes.

      1. Mark 85 Silver badge

        Re: Ah, Windoze only malware ...

        Ah.. at last... a record for commentards to aspire to.

    3. Bloakey1

      Re: Ah, Windoze only malware ...

      Ohhh dear!!

      As a Mac, Linux, Windows user I am starting to get tired of this old religious dogmatism.

      Like the name by the way but should it not be "Coli Canis" in the vulgar form and "Testiculos Canis" in the more correct proper form?

      1. Anonymous Coward
        Anonymous Coward

        Re: Ah, Windoze only malware ...

        Ohhh dear!!

        As a Mac, Linux, Windows user I am starting to get tired of this old religious dogmatism.

        Like the name by the way but should it not be "Coli Canis" in the vulgar form and "Testiculos Canis" in the more correct proper form?

        Calm down, he/she/it is merely trolling for downvotes. Which we, being evil sods, will not give him despite this creating an entirely screwed up impression of how we value this post (trust me, it makes sense at some level - you may need to drink some more beer first).

    4. Mark 85 Silver badge

      Re: Ah, Windoze only malware ...

      I'll give you one but your post isn't really offensive or illogical enough to make the record.

  4. Anonymous Coward
    Anonymous Coward

    Insert key word ..

    Botmasters, botnet files, buggy wares, command line action, CreateProcess API., criminal underground., .dll file plug-ins, drive-by infections, Dynamic encrypted communications, Flash, Java, malware, modular, new code, new trojan, Pandemiya, pervasive, RSA researcher, Silverlight, software, trojans, Windows

  5. Acme Fixer

    What?!

    I thought I'd read the comments to find some worthwhile information. Like the song said, "I can't get no.. satis-faction..."

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019