Forgot your password?
typodupeerror
Crime Security The Almighty Buck IT Your Rights Online

Analysis of Dexter Malware Uncovers Mystery Man, and Links To Zeus 119

Posted by timothy
from the herra-not-named-in-indictment dept.
chicksdaddy writes "The newly discovered Dexter malware is one of the few examples of a malicious program that targets point of sale terminals, but also communicates, botnet-like, with a command and control infrastructure. According to an analysis by Seculert, the custom malware has infected 'hundreds POS systems' including those operated by 'big-name retailers, hotels, restaurants and even private parking providers.' Now a detailed analysis by Verizon's RISK team suggests that Dexter may be a creation of a group responsible for the ubiquitous Zeus banking Trojan. By analyzing early variants of Dexter discovered in the wild, Verizon determined that the IP addresses used for Dexter's command and control were also used to host Zeus-related domains and several domains for Vobfus, also known as 'the porn worm,' which has been used to deliver the Zeus malware. Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew responsible for the malware. The RISK team linked the domain registration for a Dexter C&C server to an unusual online handle, 'hgfrfv,' that was used to post a number of suggestive help requests ('need help with decrypting a table encrypted with EncryptByKey') in online technical forums, where a live.com e-mail address was also provided. The account name was also linked to a shell account on the outsourcing web site freelancer.com, which lists 'hgfrfv' as an individual residing in the Russian Federation."
This discussion has been archived. No new comments can be posted.

Analysis of Dexter Malware Uncovers Mystery Man, and Links To Zeus

Comments Filter:
  • POS Termials (Score:3, Interesting)

    by Anonymous Coward on Sunday December 16, 2012 @07:32AM (#42306457)

    You can keep your own systems safe, and even use one-off CC#'s for online purchases, but you can't verify that retailers' POS equipment is clean (you'll probably be tossed out of the store just for asking). When in public use cash. Lets just hope you can trust the ATM's that you use.

    • by Anonymous Coward

      Just look for the Windows icon in the bottom let corner of any of the running terminals. When they're using these POS POS machines, it's invariably the Windows ones that are the problem. They're typically Windows Embedded, but nobody ever turned off all the parts because of the dependencies.

      So you'll see it's just a cheap PC, running an old version of Windows, connected across the stores crappy unsecure Wifi which probably talks to the software vendor across the open internet.

      So, if you see the Windows logo

      • Just look for the Windows icon in the bottom let corner of any of the running terminals. When they're using these POS POS machines, it's invariably the Windows ones that are the problem.

        In the recent Barnes & Noble POS attack, the actual hardware was compromised. No word on what OS was behind it, though.

      • So you'll see it's just a cheap PC, running an old version of Windows, connected across the stores crappy unsecure Wifi which probably talks to the software vendor across the open internet.

        That is absolutely not possible. They're PCI certified!

      • by Darundal (891860)
        Tons of POS software goes fullscreen on launch. Looking for a Windows logo won't help you most of the time.
    • > Lets just hope you can trust the ATM's that you use.

      No, you cannot. I've lost count of how many times my cards have been skimmed and defrauded in various ways. Luckily, I have not taken any loss myself, but it is still a hassle to report, renew the cards, etc.

      If you are really paranoid about these things, you'll have to use cash as you said, but go inside the bank to withdraw your money. On a regular basis, that's probably even more hassle, and also puts you at risk of being mugged.

      As always, sec
    • They're called POS terminals for a reason ;)
    • I remember the days when POS terminals were a glorified calculator. Making them out of cheap PCs did not make anything better.

    • by tlhIngan (30335)

      You can keep your own systems safe, and even use one-off CC#'s for online purchases, but you can't verify that retailers' POS equipment is clean (you'll probably be tossed out of the store just for asking). When in public use cash. Lets just hope you can trust the ATM's that you use.

      So... the big problem is that someone will capture your credit card number?

      I don't know, but I don't think that's exactly a good hack - after all, you're legally protected if someone uses your credit card without your authorizat

  • by Anonymous Coward

    So I work at a large grocery store. How do I get my IT department up to date on this issue?. We have been compromised in the past and I have been noticing some strange things showing up on my terminals.

  • Using Windows for anything that requires security is just stupid!

    Putting a Windows server on the internet is a generally accepted "bad idea." Putting a Windows machine onto the internet without being crippled with anti-ware and a multitude of filters is a "bad idea" which invariably still leads to compromises because anti-ware and filters will never be enough.

    And someone wants to put Windows into ATMs and POS machines?! And people BUY them?!

    "I don't want to live on this planet any more."

    • by Anonymous Coward

      Current history shows Linux doesn't do so well in that role (small wonder you were down modded as a troll erroneous ):

      2012:

      New Linux Rootkit Emerges:

      https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012 [threatpost.com]

      "A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically fo

      • by cmdr_tofu (826352) on Sunday December 16, 2012 @11:00AM (#42306999) Homepage

        I think what you are seeing is web-applications hosted on Linux being hacked. Apache and MySQL run on Windows too although the WAMP stack is harder to keep updated than the LAMP stack.

        But I don't disagree with you. Hosting applications on Linux does not make them ecure. It takes a lot of time and energy. The same is true for Windows. The iframe-injecting kernel module that you linked to is really quite interesting.

        Where the rubber meets the road, I think Linux and BSD still win in performance, security and manageability, but you are correct, the margins are a lot slimmer. Windows Server 2008 is not Windows 95 or XP.

        • by morcego (260031)

          Hosting applications on Linux does not make them ecure. It takes a lot of time and energy. The same is true for Windows.

          Thank you. I'm a unix guy, and have been using Linux since kernel 0.97. And I hate when people say thing like that, implying that just because it is in Linux, it is secure. It is not, and it takes a lot of work and knowledge to make any computer, running any OS, secure.

          The different is that Linux will help you, while Windows will hinder your efforts.

        • Hosting applications on Linux does not make them ecure.

          It depends on the application. For instance: If you've got a bad case of the MS vendor-lock-in, then the option of hosting on Linux may very well be an eCure.

        • by erroneus (253617)

          Two problems:

          1. You just responded to APK. I am really and truly sorry for what happens to people who respond to APK. His paranoid imagination and school-boy level of maturity does not allow him to understand that people simply don't care what he has to say. It is always a fight to him... most often to some imaginary form of death.
          2. Yes. Linux can be insecure. But it actually takes work to MAKE it insecure these days. Have you ever wrestled with SELinux? It's on by default in most current Linux dist

        • by erroneus (253617)

          OMFG :) Do you see what this guy does?! He goes absolutely nuts with commentary as if people live on slashdot and do nothing else! It's beyond imagination. The words "disproportionate response" and obsessive come to mind. I'll just back to pretending he doesn't exist and that I don't see what he writes. His style is pretty obvious so not hard to detect. I advise everyone else to do the same. Just pray that he doesn't resort to shooting up schools for attention.

    • by drinkypoo (153816)

      And someone wants to put Windows into ATMs and POS machines?! And people BUY them?!

      AFAIK Diebold is the largest US ATM manufacturer ATM and they use Windows and, IIRC, used to use OS/2 so you can count on them picking the wrong OS next time, too.

      • by Anonymous Coward

        OS/2 had been a very popular and solid base for ATM and banking systems for over a decade before those systems migrated over to Windows.... Diebold may suck but using OS/2 back then was probably their best decision ever.

        • by drinkypoo (153816)

          OS/2 had been a very popular and solid base for ATM and banking systems for over a decade before those systems migrated over to Windows.... Diebold may suck but using OS/2 back then was probably their best decision ever.

          It would have been better to stick with DOS, because DOS is still here, and where is OS/2 now? Precisely where anyone could have predicted it would be. When it didn't succeed broadly by 2.1 you had to know it was going to fart around and eventually go away.

      • by erroneus (253617) on Sunday December 16, 2012 @10:11AM (#42306839) Homepage

        Quite familiar with Diebold ATMs. I spent a few of years in the ATM industry where I learned all kinds of things I was better off not knowing.

        The short here is that business people are invariably interested in rapid development and deployment. Those tools are most available under Windows. "Rapid development." Really? And rapid deployment too? Sounds like they would rather not bother with testing and QA.

        And using the internet as transport? Back in the day, they used POTS... some still do. (yeah... dialtone generators and devices that answer "yes" to every transaction... one of the first tools I was exposed to when "troubleshooting" an ATM.) It's beyond stupid. But that's the thing. Business does not understand technology and so they love to imagine that since THEY can't understand it, neither can those 'stupid criminals' so they're safe right? One of the biggest problems is these geniuses trust brand names more than people. Another is that they simply do not know what they do not know. You can try to tell them, but they just read it as an attack or an insult.

      • by drinkypoo (153816)

        what a waste of a trollmod, modtroll

  • unusual handle??? (Score:2, Interesting)

    by Anonymous Coward

    im seroius trace hgfrfv on the keyboard.... i swear i think the people who protect our country dont look for the stupidest things.

    r
    fgh
    v

    if its not a penis its some other random punch.

    this submission is bull... wtf happened to slashdot...

  • > Analysis of Dexter Malware Uncovers Mystery
    > Man, and Links To Zeus

    I'll bet it's Baby Bowler. It's gotta be Baby Bowler.

    Can't wait to see what she, Dexter, and Zeus do when teamed up!

  • So if I want to throw detectives off my trail, all I have to do is harvest a bunch of handles from 4chan, Slashdot and Fark to reuse? Good to know. Not that I'd do that, of course. Or use my enemy's handle. Hur hurr.

You are in the hall of the mountain king.

Working...