Analysts G DATA have poked around in the structure of this guest fixed between the trojans that are aimed at the banking world. Now available in a comprehensive analysis of a malware, particularly articulated.

Bochum – The banking trojan ZeuS and its variant called “Panda” have represented in the last six years an example of malware “prezzemolino” in the universe of threats to the banking systems. The analysis G DATA reveals a trojan is absolutely out of the ordinary.

How to know if your systems are infected

Let’s start with the bad news: once a machine that is not protected has been infected, it is almost impossible to detect the presence of ZeuS Panda looking only at the content on the screen. What is displayed on the screen is in fact the result of a clever manipulation that presents the user with a perfect clone of a particular website or bank website for online payments. Users are induced to perform a donation to a charitable entity or deceived with requests for return of a payment received incorrectly, the other attackers even up the mail, citing the investigations on money laundering carried out by the “police German financial” (there is a similar institution in Germany, at least not under this name). In addition to stealing data placed on the web site and change what the user can see, ZeuS Panda also handles some of the security settings, and alarms within the browser, that might otherwise reveal their presence.

And now the good news: technologies exist that can detect an infection even in the absence of a signature for this malware, such as G DATA BankGuard.

Because Panda is special

There are many harmful applications that try to evade detection and hinder the analysis. ZeuS Panda is equipped with articulated mechanism to prevent it from being analyzed: for example, checks to see if there are indicators of typical virtual machines – including VMWare, OpenBox, Wine or any type of environment HyperV. Many analysts test malware samples in virtual environments the malware then attempts to compromise the analysis. Also, the Panda checks for the presence of many tools used by analysts including ProcMon, Regshot, Sandboxie, Wireshark, IDA and the debugger SoftICE. If it detects the presence of one of these programs, the malware is not executed. Other malicious applications use controls really surface to verify the presence of VMWare and OpenBox, functions often copy and paste from third party code. In the case of Panda, not only the verification is thorough but were used different “packer” to create the malicious file, which forces the analysts to spacchettizzare the file manually. In short, the creators of ZeuS Panda have created a malware that gives a long hard time to the analysts.

Online there is a other types of malware that use similar techniques, but in many cases the implementation is poor or the trojan itself contains errors, limiting its effectiveness. Among the many examples are also cases where, after conducting the activities of deoffuscamento of the code, the URL that should be contacted by the malware contained a typographical error, azzoppando the entire construct.

This is not the case of ZeuS Panda, whose task is to continue to collect data until ordered to do otherwise. Even if the command and control server reference is removed from the network, the malware continues to accumulate data on the system until you can download them on another server.

A “swiss army knife” manufactured in eastern Europe

What differentiates Panda in terms of the mechanisms of evasion and the quality of the production, is its versatility. Although ZeuS Panda is primarily a banking Trojan, is also able to steal other types of data from a system, including the contents of the clipboard (i.e. the one that is copied in a file to paste elsewhere – the applications that manage passwords, often use the clipboard to transfer the credentials from the password manager to another application or web site) and any screenshots. Also can implement a backdoor in full on the infected system via VNC. A situation comparable to having someone who sits behind us, and we spy a daily basis, 24 hours on 24.

What is the function of ZeuS Panda is actually active on the system depends on the configuration of the malware itself, that is automatically updated at regular intervals. The application can then transform from a banking trojan to spyware, and remote control of a PC in a few minutes, in the sole discretion of the attacker.

Regarding the origin of ZeuS Panda the directions are very clear: the malware does not activate if it detects that the system attacked is located in Russia, Ukraine, Belarus or Kazakhstan.

Detailed analysis

The report containing the detailed technical analysis of ZeuS Panda is downloadable from the site, G DATA Advanced Analytics and is integrated in two of the articles posted by the team on site (Part 1 and Part 2 ).

Who is G DATE

IT security is born in Germany: G DATA Software AG is considered to be the inventor of antivirus software. The company, founded in 1985 in Bochum, developed over 30 years ago, the first program against the spread of computer viruses. Today, G DATA is one of the world’s leading providers of solutions for IT security.

Numerous tests conducted both in Germany and from well-known organizations at the international level more than that in the comparative tests conducted by specialized magazines independent have shown that IT security “Made in Germany” offers Internet users the best protection possible. In march 2017, the solution obtained for the tenth consecutive year, an excellent evaluation for the detection of viruses by Stiftung Warentest.

Also, for the second consecutive year, G DATA is a technical partner of Ducati Corse for MotoGP and has the task to protect the IT systems of the track team Ducati

The portfolio of products G DATA includes security solutions both for individuals and for companies, from SMES to large enterprises. The security solutions G DATA are available in more than 90 Countries all over the world.

More information on G DATA and security solutions are available on the website


SAB Communications snc – press Office G DATE
Via della Posta 16
CH – 6934 Bioggio
Tel: +41 91 2342397