Monday, December 31, 2012

Dexter: New Point-Of-Sale Malware

Seculert has discovered a new piece of malware called Dexter which is designed to infect retail sales workstations and steal credit card information.

How it operates:
  • It scans the process list of an infected system and looks for Point-Of-Sale software.
  • It scans the memory segments of the POS software and pulls out the credit card data.
  • Communicates data back to a C&C server.
Infection vector:
  • Looks like its targets Windows systems, including Window Server systems. 
  • 50% of the infected systems are Windows XP
  • Most targets are in western countries.
  • How a system gets infected is still unknown.
Seculert is suggesting that because Windows Server systems are getting infected then drive-by downloads or web-based social engineering is not likely.  They're also theorizing that the credit card data is being used to clone credit cards.
SpiderLabs has a great analysis of how the C&C communication actually works.  The credit card data and other information is base-64 encoded and XOR encrypted and sent to the C&C server.  It looks like there are several domain names involved as the C&C servers.  The server sends back instructions, again base-64 encoded and XOR encrypted, in a cookie.

Volatile Labs had a list of domain names that the program uses.  They're just .com names of random jibberish, and they can probably change frequently.  But look out for domains like this going through your firewall:

The good news is that if it's just Windows systems being infected then you shouldn't need to worry if you use stand-alone terminals with a direct Ethernet connection.  Chase Paymentech uses these a fair amount, and I'm pretty certain they're not using Windows on those little devices.

Here are the original Seculert posting and some additional research from Trustwave SpiderLabs and Volatile Labs.

No comments: