Researchers find new point-of-sale malware
The malware can read card data from the memory of point-of-sale systems, a technique increasingly used by cybercriminals
IDG News Service - In the wake of a large-scale attack on point-of-sale (PoS) systems at retailer Target, new malware designed to steal payment card data from the sales systems was released earlier this month.
Security researchers from cybercrime intelligence firm IntelCrawler identified a PoS RAM (random access memory) scraping program dubbed Decebal that they believe was released on Jan. 3. The release shows that cybercriminals are increasingly interested in launching this type of attack.
The malware is written in VBScript (Visual Basic Scripting) in less than 400 lines of code. Despite looking fairly unsophisticated, it can grab track 2 data -- data encrypted on the magnetic stripe of credit or debit cards -- from PoS memory and contains routines to evade malware analysis tools, like antivirus sandboxes and virtual machines.
The use of a scripting language to create malware is not unusual, but is highly uncommon for this particular type of threat. Andrey Komarov, CEO of IntelCrawler, said this is the first time he's seen PoS malware written in VBScript.
Using this language provide some benefits, like portability, as it works by default in all Windows versions since Windows 98 and doesn't require a separate interpreter. Many PoS systems run a version of Windows Embedded.
VBScript is also commonly used by Windows system administrators to automate different tasks and can be called by other scripts and programs, which could make this particular malware inconspicuous, Komarov said.
Decebal sends the stolen card data to a command-and-control server, particularly to a single 44-line PHP script running on a Web server that sorts the information and stores it.
Various text strings found in the malware code suggest its authors are likely Romanian, the IntelCrawler researchers said in a blog post. The name chosen by its creators also points in this direction, Decebal being the Romanian name of Dacian king Decebalus, an important figure in Romanian history.
Bogdan Botezatu, a senior e-threat analyst at Romanian antivirus firm Bitdefender, agreed with IntelCrawler's assessment of the malware's origins. "Most of the strings, functions and variable names are clearly Romanian words so chances are that the malware has been written by a Romanian citizen," he said Friday via email.
There were at least four separate strains of PoS RAM scraping malware developed in the past year, Botezatu said. "This shows a pattern, and we expect that cybercriminals will continue to use them as long as they work."
The Target data breach, which resulted in the compromise of 40 million credit and debit cards, involved malware being installed on PoS terminals. A separate credit card breach was confirmed last week at high-end retailer Neiman Marcus and there are reports of other, as yet undisclosed, retailers being compromised in a similar way.
- 2013 Cyber Risk Report The "Cyber risk report 2013 Executive summary" presents the major findings of HP Security Research's comprehensive dive into today's cyber vulnerability and threat...
- Why You Need a Next-Generation Firewall This white paper explores the reasons for implementing next-generation (NG) firewalls and lays out a path to success for overburdened IT organizations.
- Why Projects Fail CIOs are expected to deliver more projects that transform business, and do so on time, on budget and with limited resources.
- The New Business Case for Video Conferencing: 7 Real-World Benefits Beyond Cost-Savings This whitepaper provides insight into the value of video conferencing in today's business environment, and how organizations are using visual collaboration to find...
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Malware and Vulnerabilities White Papers | Webcasts