Analysis of Dexter Malware Uncovers Mystery Man, and Links To Zeus 119
chicksdaddy writes "The newly discovered Dexter malware is one of the few examples of a malicious program that targets point of sale terminals, but also communicates, botnet-like, with a command and control infrastructure. According to an analysis by Seculert, the custom malware has infected 'hundreds POS systems' including those operated by 'big-name retailers, hotels, restaurants and even private parking providers.' Now a detailed analysis by Verizon's RISK team suggests that Dexter may be a creation of a group responsible for the ubiquitous Zeus banking Trojan. By analyzing early variants of Dexter discovered in the wild, Verizon determined that the IP addresses used for Dexter's command and control were also used to host Zeus-related domains and several domains for Vobfus, also known as 'the porn worm,' which has been used to deliver the Zeus malware. Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew responsible for the malware. The RISK team linked the domain registration for a Dexter C&C server to an unusual online handle, 'hgfrfv,' that was used to post a number of suggestive help requests ('need help with decrypting a table encrypted with EncryptByKey') in online technical forums, where a live.com e-mail address was also provided. The account name was also linked to a shell account on the outsourcing web site freelancer.com, which lists 'hgfrfv' as an individual residing in the Russian Federation."
POS Termials (Score:3, Interesting)
You can keep your own systems safe, and even use one-off CC#'s for online purchases, but you can't verify that retailers' POS equipment is clean (you'll probably be tossed out of the store just for asking). When in public use cash. Lets just hope you can trust the ATM's that you use.
Look for the Windows start button (Score:2, Interesting)
Just look for the Windows icon in the bottom let corner of any of the running terminals. When they're using these POS POS machines, it's invariably the Windows ones that are the problem. They're typically Windows Embedded, but nobody ever turned off all the parts because of the dependencies.
So you'll see it's just a cheap PC, running an old version of Windows, connected across the stores crappy unsecure Wifi which probably talks to the software vendor across the open internet.
So, if you see the Windows logo
Re: (Score:2)
Just look for the Windows icon in the bottom let corner of any of the running terminals. When they're using these POS POS machines, it's invariably the Windows ones that are the problem.
In the recent Barnes & Noble POS attack, the actual hardware was compromised. No word on what OS was behind it, though.
Re: (Score:2)
So you'll see it's just a cheap PC, running an old version of Windows, connected across the stores crappy unsecure Wifi which probably talks to the software vendor across the open internet.
That is absolutely not possible. They're PCI certified!
Re: (Score:2)
Meh. Call me when they're PCI Express certified.
Re: (Score:2)
Re: (Score:1)
No, you cannot. I've lost count of how many times my cards have been skimmed and defrauded in various ways. Luckily, I have not taken any loss myself, but it is still a hassle to report, renew the cards, etc.
If you are really paranoid about these things, you'll have to use cash as you said, but go inside the bank to withdraw your money. On a regular basis, that's probably even more hassle, and also puts you at risk of being mugged.
As always, sec
Re: (Score:3)
Re: (Score:2)
I remember the days when POS terminals were a glorified calculator. Making them out of cheap PCs did not make anything better.
Re: (Score:3)
So... the big problem is that someone will capture your credit card number?
I don't know, but I don't think that's exactly a good hack - after all, you're legally protected if someone uses your credit card without your authorizat
Question: How do get my employer aware? (Score:1)
So I work at a large grocery store. How do I get my IT department up to date on this issue?. We have been compromised in the past and I have been noticing some strange things showing up on my terminals.
Re:Question: How do get my employer aware? (Score:5, Interesting)
So I work at a large grocery store. How do I get my IT department up to date on this issue?. We have been compromised in the past and I have been noticing some strange things showing up on my terminals.
If your IT department isn't already on top of it, you have much bigger problems.
Re: (Score:2)
Lcreation what's that?
It's a hold over from that horrible Hungarian Notation that Win32 coders are famously stuck with (hint: Win32 is still used on 64bit systems, 32 apparently means "not 16 bit").
Careful not to confuse the L prefix here with Long; In this context it means Local.
When will they ever learn?! (Score:1, Troll)
Using Windows for anything that requires security is just stupid!
Putting a Windows server on the internet is a generally accepted "bad idea." Putting a Windows machine onto the internet without being crippled with anti-ware and a multitude of filters is a "bad idea" which invariably still leads to compromises because anti-ware and filters will never be enough.
And someone wants to put Windows into ATMs and POS machines?! And people BUY them?!
"I don't want to live on this planet any more."
When will YOU ever learn, troll? (Score:3, Informative)
Current history shows Linux doesn't do so well in that role (small wonder you were down modded as a troll erroneous ):
2012:
New Linux Rootkit Emerges:
https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012 [threatpost.com]
"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically fo
Re:When will YOU ever learn, troll? (Score:4, Insightful)
I think what you are seeing is web-applications hosted on Linux being hacked. Apache and MySQL run on Windows too although the WAMP stack is harder to keep updated than the LAMP stack.
But I don't disagree with you. Hosting applications on Linux does not make them ecure. It takes a lot of time and energy. The same is true for Windows. The iframe-injecting kernel module that you linked to is really quite interesting.
Where the rubber meets the road, I think Linux and BSD still win in performance, security and manageability, but you are correct, the margins are a lot slimmer. Windows Server 2008 is not Windows 95 or XP.
Re: (Score:2)
Hosting applications on Linux does not make them ecure. It takes a lot of time and energy. The same is true for Windows.
Thank you. I'm a unix guy, and have been using Linux since kernel 0.97. And I hate when people say thing like that, implying that just because it is in Linux, it is secure. It is not, and it takes a lot of work and knowledge to make any computer, running any OS, secure.
The different is that Linux will help you, while Windows will hinder your efforts.
Re:How's Windows "hinder your efforts"? (Score:4, Insightful)
Lemme guess...this morning you found a Dunkin Donuts "Buy 1 coffee get 10 free" coupon? ;)
Re: (Score:2)
And you're obviously apk trying (and doing a REALLY poor job) to pretend that you're somebody else that's agreeing with apk.
That's why you never log in, isn't it? Because it would be blatantly obvious if you accidentally posted a "APK asked you a question which you ran away from, STUPID TROLL!" comment under your apk account.
You think this way makes it impossible to tell, but there's only one poster on /. that has your arrogant, abusive posting style, so it's pretty obvious that you're apk, and you're atte
Re: (Score:2)
I did, right here -> http://slashdot.org/comments.pl?sid=3319303&cid=42307263 [slashdot.org] Now, read the subject-line of YOUR POST NOW, you illiterate ignoramus! What post is PARENT to yours & gave it its subject-line?? Mine/that very one!
You really have trouble following a thread, don't you?
The parent post to mine was not your question. It didn't even claim to be you, although, I think it was yours; you just didn't put your name on it, as you wanted it to appear to be someone else who was supporting your asinine arguments.
The post I responded to was this:
The meaning's explicit directed at poster apk replied to. Obviously a question. You're obviously stupid or trolling.
from here:
http://slashdot.org/comments.pl?sid=3319303&cid=42308455 [slashdot.org]
Do you see your name at the end of that post? I don't. I'm pretty sure nobody else does, either. Well...maybe you
Re: (Score:2)
You're replying to an AC. How would you know APK asked that question of him?
Speaking of which...I love how EVERY single post that backs up APK by pointing out "avoided questions" that people didn't answer, is posted by an AC,just like APK himself.
Here's a hint, APK: Just because somevody didn't answer your "question" doesn't mean they're avoiding it. Maybe it's just such a stupid, rambling question that it doesn't deserve an answer, or it's so fscking obvious to those of us *without* extreme ADHD that the
Re: (Score:2)
I didn't run.
If you can wrap your brain around reality for a few minutes, you'll notice that slashdot locks discussions, preventing any new replies after the story's been posted for a few weeks. Not exactly sure how long it is, but it's not forever.
When I went back to read your delusional response to my last post, the discussion was locked, and I couldn't reply.
But that would interfere with your delusions of grandeur, so you'd never admit to it, even if you knew that happened.
Interestingly, nobody else see
Re: (Score:2)
Unless APK's/your questions are directed at the entire world (which, given his/your level of delusion, wouldn't surprise me) then who asked the question is completely irrelevant. It's who it was asked *of* that matters, as that was what Mr. AC-defender-of-APK stated.
Re: (Score:2)
That's a post by an AC, claiming to be APK. That's not somebody defending APK with a logged in account.
Maybe you need to learn to read, rather than me....
Re: (Score:2)
Really? You're still going on about an argument you lost badly nearly a year an a half ago?
Since you keep harping on this insistence that you didn't say something you blatantly did, here are your exact words:
P.S.=> Besides, there isn't a botnet (or even ROOTKIT) I can't deal with effectively for removal anyhow - & I don't use the same tools others do...
Well, @ first I do, & when those fail? Out come the "big guns" in Process Explorer & Recovery Console - & there's nothing I can't "dust" between them... ... apk
They're from this post:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36618008 [slashdot.org]
You directly say you use Process Explorer to get rid of rootkits when other tools fail. It's not even implied. You said it, outright. Maybe you didn't mean it (although I think you did, because instead of clarifyin
Re: (Score:2)
Oh...I see what you're doing now:
You're changing your claim as to what the debate was about, so in your delusional little world, it looks like you won.
I never said the "indestructible rootkit" was actually indestructible, so claiming that I was wrong when I did is simply a straw man. That's not winning an argument; that's being a douche, which I believe I may have called you at some point.
My problem with your randomly capitalized, scatterbrained posts is that you claimed rootkits (not this particular rootk
Re: (Score:2)
"I didn't run." - by cbiltcliffe (186293) on Thursday December 20, @08:55PM (#42355183) Homepage
This proves QUITE otherwise -> http://slashdot.org/comments.pl?sid=3319303&cid=42360301 [slashdot.org]
Really? How does that "prove" anything, other than you do a lot of acid before you post?
Your barely coherent ramblings cannot possibly prove or disprove anything that goes on outside your own little reality distortion field.
Explain it to the rest of us: How does that post of yours prove that I "ran?"
Don't get into all sorts of other irrelevant, unrelated crap, just answer that simple question.
Re: (Score:2)
I stand corrected, it wasn't coffee. It must have been a coupon for Steve's Hand-Crafted Meth Emporium.
Re:How's Windows "hinder your efforts"? (Score:4, Insightful)
Re: (Score:2)
Hosting applications on Linux does not make them ecure.
It depends on the application. For instance: If you've got a bad case of the MS vendor-lock-in, then the option of hosting on Linux may very well be an eCure.
Re: (Score:2)
Two problems:
1. You just responded to APK. I am really and truly sorry for what happens to people who respond to APK. His paranoid imagination and school-boy level of maturity does not allow him to understand that people simply don't care what he has to say. It is always a fight to him... most often to some imaginary form of death.
2. Yes. Linux can be insecure. But it actually takes work to MAKE it insecure these days. Have you ever wrestled with SELinux? It's on by default in most current Linux dist
Re: (Score:2)
OMFG :) Do you see what this guy does?! He goes absolutely nuts with commentary as if people live on slashdot and do nothing else! It's beyond imagination. The words "disproportionate response" and obsessive come to mind. I'll just back to pretending he doesn't exist and that I don't see what he writes. His style is pretty obvious so not hard to detect. I advise everyone else to do the same. Just pray that he doesn't resort to shooting up schools for attention.
Re: (Score:1)
And someone wants to put Windows into ATMs and POS machines?! And people BUY them?!
AFAIK Diebold is the largest US ATM manufacturer ATM and they use Windows and, IIRC, used to use OS/2 so you can count on them picking the wrong OS next time, too.
Re: (Score:1)
OS/2 had been a very popular and solid base for ATM and banking systems for over a decade before those systems migrated over to Windows.... Diebold may suck but using OS/2 back then was probably their best decision ever.
Re: (Score:2)
OS/2 had been a very popular and solid base for ATM and banking systems for over a decade before those systems migrated over to Windows.... Diebold may suck but using OS/2 back then was probably their best decision ever.
It would have been better to stick with DOS, because DOS is still here, and where is OS/2 now? Precisely where anyone could have predicted it would be. When it didn't succeed broadly by 2.1 you had to know it was going to fart around and eventually go away.
Re:When will they ever learn?! (Score:5, Insightful)
Quite familiar with Diebold ATMs. I spent a few of years in the ATM industry where I learned all kinds of things I was better off not knowing.
The short here is that business people are invariably interested in rapid development and deployment. Those tools are most available under Windows. "Rapid development." Really? And rapid deployment too? Sounds like they would rather not bother with testing and QA.
And using the internet as transport? Back in the day, they used POTS... some still do. (yeah... dialtone generators and devices that answer "yes" to every transaction... one of the first tools I was exposed to when "troubleshooting" an ATM.) It's beyond stupid. But that's the thing. Business does not understand technology and so they love to imagine that since THEY can't understand it, neither can those 'stupid criminals' so they're safe right? One of the biggest problems is these geniuses trust brand names more than people. Another is that they simply do not know what they do not know. You can try to tell them, but they just read it as an attack or an insult.
wow (Score:2)
what a waste of a trollmod, modtroll
unusual handle??? (Score:2, Interesting)
im seroius trace hgfrfv on the keyboard.... i swear i think the people who protect our country dont look for the stupidest things.
r
fgh
v
if its not a penis its some other random punch.
this submission is bull... wtf happened to slashdot...
God this is a stupid post (Score:1)
> Analysis of Dexter Malware Uncovers Mystery
> Man, and Links To Zeus
I'll bet it's Baby Bowler. It's gotta be Baby Bowler.
Can't wait to see what she, Dexter, and Zeus do when teamed up!
Dexter malware (Score:1)
Source: http://blog.seculert.com/2012/12/dexter-draining-blood-out-of-point-of.html [seculert.com]
Linked online handles (Score:2)