Researchers find new point-of-sale malware
The malware can read card data from the memory of point-of-sale systems, a technique increasingly used by cybercriminals
IDG News Service - In the wake of a large-scale attack on point-of-sale (PoS) systems at retailer Target, new malware designed to steal payment card data from the sales systems was released earlier this month.
Security researchers from cybercrime intelligence firm IntelCrawler identified a PoS RAM (random access memory) scraping program dubbed Decebal that they believe was released on Jan. 3. The release shows that cybercriminals are increasingly interested in launching this type of attack.
The malware is written in VBScript (Visual Basic Scripting) in less than 400 lines of code. Despite looking fairly unsophisticated, it can grab track 2 data -- data encrypted on the magnetic stripe of credit or debit cards -- from PoS memory and contains routines to evade malware analysis tools, like antivirus sandboxes and virtual machines.
The use of a scripting language to create malware is not unusual, but is highly uncommon for this particular type of threat. Andrey Komarov, CEO of IntelCrawler, said this is the first time he's seen PoS malware written in VBScript.
Using this language provide some benefits, like portability, as it works by default in all Windows versions since Windows 98 and doesn't require a separate interpreter. Many PoS systems run a version of Windows Embedded.
VBScript is also commonly used by Windows system administrators to automate different tasks and can be called by other scripts and programs, which could make this particular malware inconspicuous, Komarov said.
Decebal sends the stolen card data to a command-and-control server, particularly to a single 44-line PHP script running on a Web server that sorts the information and stores it.
Various text strings found in the malware code suggest its authors are likely Romanian, the IntelCrawler researchers said in a blog post. The name chosen by its creators also points in this direction, Decebal being the Romanian name of Dacian king Decebalus, an important figure in Romanian history.
Bogdan Botezatu, a senior e-threat analyst at Romanian antivirus firm Bitdefender, agreed with IntelCrawler's assessment of the malware's origins. "Most of the strings, functions and variable names are clearly Romanian words so chances are that the malware has been written by a Romanian citizen," he said Friday via email.
There were at least four separate strains of PoS RAM scraping malware developed in the past year, Botezatu said. "This shows a pattern, and we expect that cybercriminals will continue to use them as long as they work."
The Target data breach, which resulted in the compromise of 40 million credit and debit cards, involved malware being installed on PoS terminals. A separate credit card breach was confirmed last week at high-end retailer Neiman Marcus and there are reports of other, as yet undisclosed, retailers being compromised in a similar way.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The Threat Landscape Hardly a day goes by without the discovery of a new cyberthreat somewhere in the world! But how do you keep up with...
- Security for Virtualization In the rush to implement virtualization, security has become second. So while the business benefits are clear, the risks are less well documented...
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Mobile Applications Case Study: 8 Billion Transactions a Day The story documents how the online brokerage company tradeMONSTER created a custom mobile app and the success gleaned from this initiative. Also covered...
- Mobile Apps and Devices Slash Customer Cycle Time Consolidated Engineering Laboratories' field employees used to collect data on triplicate forms that were sometimes hard to read and difficult to manage. After...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Malware and Vulnerabilities White Papers | Webcasts