Seculert’s experts found specialized malware steals details of bank cards of sale terminals under Windows.
The malware, named Dexter, is introduced into the system process iexplore.exe, providing it with a restart when disconnected by hand and prepare a list of active processes, each determines the available memory space, it reads in a local buffer, using the ReadProcessMemory, and exposes dump analysis (parsing ), looking for the information to be copied and sending.
According to the blog post ‘Kaspersky Lab’, Dexter interested in data tracks 1 and 2 plastic cards: the owner’s name, expiration date and card number, including the code of the issuer, class and type of card, account number, sometimes – the country code. This information is sufficient to produce a fake.
The stolen data is encrypted and sent via HTTP POST to a remote C & C server. Responses from the server, including updates and click on samoudalenie, malware gets in the form of an encrypted cookie-file. Encryption system used by Dexter, discussed in detail in a blog Trustwave. Appeals are made to the command server on the specified list of 7 domain names linked to the area. Com. According to Verizon, six of them are registered on the service that guarantees privacy, and resolved to the same IP-address, a well-known researchers ZeuS. In earlier versions of the test instead of Dexter domain was specified IP-address and the only way. This address as the corresponding AS-system (AS58001), have a bad reputation. Verizon experts also saw some similarities in the behavior of ZeuS and Dexter, and noted that some antivirus list Virus Total detect new PoS-malware like ZeuS.
As far as we know, Dexter exists on the Internet a few months and managed to hit hundreds of PoS-systems in well-known retail chains, hotels and restaurants, as well as private parking. Seculert detect its presence in 40 countries, with 30% of infections – in the U.S., 19% in the UK. Method of distribution Dexter has not been determined, it is known only that half of the victims are using Windows XP, over 30% – server OS.