Forgot your password?
typodupeerror
Crime Security The Almighty Buck IT Your Rights Online

Analysis of Dexter Malware Uncovers Mystery Man, and Links To Zeus 119

Posted by timothy
from the herra-not-named-in-indictment dept.
chicksdaddy writes "The newly discovered Dexter malware is one of the few examples of a malicious program that targets point of sale terminals, but also communicates, botnet-like, with a command and control infrastructure. According to an analysis by Seculert, the custom malware has infected 'hundreds POS systems' including those operated by 'big-name retailers, hotels, restaurants and even private parking providers.' Now a detailed analysis by Verizon's RISK team suggests that Dexter may be a creation of a group responsible for the ubiquitous Zeus banking Trojan. By analyzing early variants of Dexter discovered in the wild, Verizon determined that the IP addresses used for Dexter's command and control were also used to host Zeus-related domains and several domains for Vobfus, also known as 'the porn worm,' which has been used to deliver the Zeus malware. Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew responsible for the malware. The RISK team linked the domain registration for a Dexter C&C server to an unusual online handle, 'hgfrfv,' that was used to post a number of suggestive help requests ('need help with decrypting a table encrypted with EncryptByKey') in online technical forums, where a live.com e-mail address was also provided. The account name was also linked to a shell account on the outsourcing web site freelancer.com, which lists 'hgfrfv' as an individual residing in the Russian Federation."
This discussion has been archived. No new comments can be posted.

Analysis of Dexter Malware Uncovers Mystery Man, and Links To Zeus

Comments Filter:
  • POS Termials (Score:3, Interesting)

    by Anonymous Coward on Sunday December 16, 2012 @07:32AM (#42306457)

    You can keep your own systems safe, and even use one-off CC#'s for online purchases, but you can't verify that retailers' POS equipment is clean (you'll probably be tossed out of the store just for asking). When in public use cash. Lets just hope you can trust the ATM's that you use.

  • by Anonymous Coward on Sunday December 16, 2012 @07:58AM (#42306511)

    Just look for the Windows icon in the bottom let corner of any of the running terminals. When they're using these POS POS machines, it's invariably the Windows ones that are the problem. They're typically Windows Embedded, but nobody ever turned off all the parts because of the dependencies.

    So you'll see it's just a cheap PC, running an old version of Windows, connected across the stores crappy unsecure Wifi which probably talks to the software vendor across the open internet.

    So, if you see the Windows logo on the terminal, just pay cash or leave the store, but don't hand your CC over.

    Oh, and the same goes for ATMs, the insecure ones are things like Diebolds, and I wish I could find the video of one that crashed, and so somebody started up media player on it and had it play a tune.

    http://thetartan.org/2004/3/22/scitech/brokenatmturnedintojukebox

    At some point, the manufacturers have to held liable for the incompetence products they put out.

  • by allaunjsilverfox2 (882195) on Sunday December 16, 2012 @08:59AM (#42306649) Homepage Journal

    So I work at a large grocery store. How do I get my IT department up to date on this issue?. We have been compromised in the past and I have been noticing some strange things showing up on my terminals.

    If your IT department isn't already on top of it, you have much bigger problems.

  • unusual handle??? (Score:2, Interesting)

    by Anonymous Coward on Sunday December 16, 2012 @09:00AM (#42306653)

    im seroius trace hgfrfv on the keyboard.... i swear i think the people who protect our country dont look for the stupidest things.

    r
    fgh
    v

    if its not a penis its some other random punch.

    this submission is bull... wtf happened to slashdot...

HEAD CRASH!! FILES LOST!! Details at 11.

Working...