Trojan.Pandex – Doing More Than Spamming

Trojan.Pandex was first found in early 2007and is a Trojan that is primarily used to send spam. Obviously theauthor has more ambition than to stick with simply spamming becausewe've observed the Trojan enhancing its functions continuously over thepast month or so.

Trojan.Pandex first arrives on a victim's computer as a downloader,the function of which is to download the real payload from a remoteserver. To make its job more effective it also drops two .sys files.One .sys file removes the hooks on SDT and NDIS and the filter driverson TCPIP and FileSystem, which will disable the some of the firewallsand monitoring programs, such as filemon and tdimon. It will alsoremove a rootkit installed by another malicious program.

After these preparations the Trojan injects downloading code into anInternet Explorer process. The downloaded code is made up of two parts.One is a dropper, its only task being the drop of yet a third .sys fileinto the system and to register it as a system service. After that, thedropper is deleted. The other part of the code is the Trojan, which isthe real payload. The payload will be injected into a newly createdsvchost.exe process and it starts sending out spam. The payload is notsaved as a file on disk but only exists in memory, so how can it runafter the system is restarted? The answer lies with the third .sysfile. It contains the downloading code like the original Trojan. Onceit is loaded it will inject the code into the svchost process (svchostagain!) and download the whole payload—again. This method makes theTrojan very flexible and extensible.

Let’s look at how the Trojan has evolved since last December. Inearly December the downloaded code only contained the componentsdescribed above: the dropper, the sys file, and the spamming component.The size is around 87k. Near the end of last year we found that a newpayload was added and the downloaded code increased to 103k in size.The new payload is an infostealer and the code looks very similar toInfostealer.Ldpinch. As before, the Infostealer payload is alsoinjected into svchost process.

In the middle of January it was reported that Trojan.Pandex wasspammed out again. We observed that after Infostealer.Ldpinch, anothernew component was added and the size went up to 203k. This newcomponent monitors network traffic and records the “rcpt to” field ofan SMTP package in order to collect email addresses.

We have seen a new Trojan.Pandex downloader recently and we're notsurprised to see that the downloaded code's size has increased again.It is now 254k with one more component being added. The new componentdrops an .exe file onto removable drives and creates an autorun.inffile pointing to it. The dropped .exe file is another Trojan.Pandexdownloader. So, beyond extending the function of the Trojan, the authoris also increasing the ways to spread it. It now has worm ability.

In what seems to be a habit of the author's, all of the payloadsincluding the latest variation of this Trojan are injected into severalsvchost.exe processes. As the payloads increase this “habit” is causingsome side effects. In the test, it made the svchost process crash andthe system restarted.

In less than two months the size of the malicious code has increasedto three times the original size and the functionality grew fromspammer to infostealer to worm. Security Response will continue keepinga close eye on this threat as we’ll undoubtedly see new versions again.