Researchers find new point-of-sale malware
The malware can read card data from the memory of point-of-sale systems, a technique increasingly used by cybercriminals
IDG News Service - In the wake of a large-scale attack on point-of-sale (PoS) systems at retailer Target, new malware designed to steal payment card data from the sales systems was released earlier this month.
Security researchers from cybercrime intelligence firm IntelCrawler identified a PoS RAM (random access memory) scraping program dubbed Decebal that they believe was released on Jan. 3. The release shows that cybercriminals are increasingly interested in launching this type of attack.
The malware is written in VBScript (Visual Basic Scripting) in less than 400 lines of code. Despite looking fairly unsophisticated, it can grab track 2 data -- data encrypted on the magnetic stripe of credit or debit cards -- from PoS memory and contains routines to evade malware analysis tools, like antivirus sandboxes and virtual machines.
The use of a scripting language to create malware is not unusual, but is highly uncommon for this particular type of threat. Andrey Komarov, CEO of IntelCrawler, said this is the first time he's seen PoS malware written in VBScript.
Using this language provide some benefits, like portability, as it works by default in all Windows versions since Windows 98 and doesn't require a separate interpreter. Many PoS systems run a version of Windows Embedded.
VBScript is also commonly used by Windows system administrators to automate different tasks and can be called by other scripts and programs, which could make this particular malware inconspicuous, Komarov said.
Decebal sends the stolen card data to a command-and-control server, particularly to a single 44-line PHP script running on a Web server that sorts the information and stores it.
Various text strings found in the malware code suggest its authors are likely Romanian, the IntelCrawler researchers said in a blog post. The name chosen by its creators also points in this direction, Decebal being the Romanian name of Dacian king Decebalus, an important figure in Romanian history.
Bogdan Botezatu, a senior e-threat analyst at Romanian antivirus firm Bitdefender, agreed with IntelCrawler's assessment of the malware's origins. "Most of the strings, functions and variable names are clearly Romanian words so chances are that the malware has been written by a Romanian citizen," he said Friday via email.
There were at least four separate strains of PoS RAM scraping malware developed in the past year, Botezatu said. "This shows a pattern, and we expect that cybercriminals will continue to use them as long as they work."
The Target data breach, which resulted in the compromise of 40 million credit and debit cards, involved malware being installed on PoS terminals. A separate credit card breach was confirmed last week at high-end retailer Neiman Marcus and there are reports of other, as yet undisclosed, retailers being compromised in a similar way.
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
Red Hat Enterprise Linux - The Original Cloud Operating System
Linux adoption is growing against a number of measures, such as the
number of supercomputers that run Linux and the size of the contributing...
- OpenStack Hype vs. Reality: CIO Quick Pulse Open-source architecture can enable IT departments to build infrastructure-as-a-service (IaaS) clouds running on standard hardware.
- Webinar: Building a Big Data solution that's production-ready Big data solutions are no longer just a nice-to-have.
- Meg Whitman presents Unlocking IT with Big Data During this Web Event you will hear Meg Whitman, President and CEO, HP discuss HAVEn - the #1 Big Data platform, as well... All Malware and Vulnerabilities White Papers | Webcasts