Happy Holidays: Point of Sale Malware Campaigns Targeting Credit and Debit Cards

By: cwilson -

Inside Recent Point-of-Sale Malware Campaign Activities

Curt Wilson, Dave Loftus, Matt Bing

An active Point of Sale (PoS) compromise campaign designed to steal credit and debit card data using the Dexter and Project Hook malware has been detected. Indicators of compromise will be provided for mitigation and detection purposes. Prior to the publication of this Threat Intelligence document (embedded at the end of this post), members of the FS-ISAC, major Credit Card vendors and law enforcement were notified.

It appears that there are at least three distinct versions of Dexter:

  1. Stardust (looks to be an older version, perhaps version 1)
  2. Millenium (note spelling)
  3. Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)

In early November 2013, ASERT researchers discovered two servers hosting Dexter and other POS malware to include Project Hook.  The Dexter campaign looks more active, especially in the Eastern Hemisphere and therefore shall be the main focus herein. Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems. The exact method of compromise is not currently known, however PoS systems suffer from the same security challenges that any other Windows-based deployment does. Network and host-based vulnerabilities (such as default or weak credentials accessible over Remote Desktop and open wireless networks that include a PoS machine), misuse, social engineering and physical access are likely candidates for infection. Additionally, potential brittleness and obvious criticality of PoS systems may be a factor in the reportedly slow patch deployment process on PoS machines, which increases risk. Smaller businesses are likely an easier target due to reduced security. While the attackers may receive less card data from smaller retailers, infections may be more numerous and last longer due to the lack of security reporting and security staff in such environments.

Figure 1: Dexter (Purple) and Project Hook (Orange) infections in the Eastern Hemisphere

Dexter and Project Hook infections in the eastern hemisphere

Figure 2: Dexter (Purple) and Project Hook (Orange) infections in the western hemisphere

Screen Shot 2013-12-03 at 1.22.00 AM

For the full document to include a list of various compromise indicators and information about the back-end infrastructure, please download the full public report -

Dexter and Project Hook Break the Bank

 

July 2009 Malicious Links: 14 Hotspots

By: Jose -

Inspired by a friend’s question of which CIDRs to block first, I went looking into our malicious URL database for July, 2009, data and dug for the top IPs and netblocks. This was pretty easy: what URLs did the malware we analyze go to, what were the IP addresses associated, and then process that list with “aguri” to discover trends and hot spots. Some of the results are malicious and run by abusers, some are abused networks that are run by otherwise responsible network admins. I’ve tried to describe what we’ve found in each of them and note that none of them are the next “McColo” or “RBN”, just the loving locations that malware phones home to.

The list below shows the IP or narrow CIDR blocks we found that popped out, together with the contributions (raw number of observations and percentage of overall activity seen for the month).

8.12.206.126 263 (1.09%)

Located in AS3356 (Level 3 Communications). Appears to be related to MSN hosting. Often contacted by what appear to be a lot of games and executables of dubious repute. We get a lot of Trojan horse programs in here, no surprise they piggyback on otherwise healthy networks.

60.173.8.0/21 661 (2.73%/2.73%)

AS4134, ChinaNet Backbone. Lots of malcode hosted here that we see, and the network is a victim of its own success. Downloaders, infostealers, etc. Been seeing a lot of downloaders phoning back here that install dozens (!) of pieces of malware in one shot all hosted on the same host.

64.34.228.126 311 (1.28%)

AS13678, Peer 1 Network. A lot of search hijack and toolbars associated with this IP. A lot of “hxxp://64.34.228.126/tba/p” in our database where we see stuff like this posted:

POST /tba/p HTTP/1.1
Content-Length: 269
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; 6.0.79.0; Windows NT 5.1)
Accept-Encoding: gzip
Host: ads.netbios-local.com
.
guid=2923514082588C8C84CB8C4B77FE87C3334E&version=86442206692A&clientid=696CD7897DEF73884430&time=AE5E7DD0AE33F9&idle=925089&locale=F94122913C22&session=B10B&activeWindows=E17B02&ticksBoot=AB363FD944633BEE&ticksAlive=336CA641989A53&installTime=0F0C26&launchCount=9E3962

66.220.17.154 647 (2.67%)

AS6939, Hurricane Electric. Lots of Swizzor related activity.

67.29.139.153 400 (1.65%)

AS3356, Level 3. Lots of FakeAV associated with this IP, such as this sample.

68.169.70.134 247 (1.02%)

AS23393, ISPrime. Seems to be associated with “Fake Alert” or “Renos” based on some Google searches and VTotal results for some samples.

78.108.0.0/14 281 (1.16%/1.16%)

Associated with Cutwail botnet activity, porn, and even Koobface activity. Spread over a few providers, but lumped into this /14.

94.75.207.219 293 (1.21%)

Coincident with 68.169.70.134 above, hosted in AS16265 LEASEWEB. Fake Alerts and such …

121.11.0.0/16 244 (1.01%/1.01%) and 121.12.0.0/16 438 (1.81%/1.81%)

Associated with AS4134, ChinaNet Backbone. Lots of malware in this space from random individuals.

195.2.253.240/30 328 (1.35%/2.41%)

AS12695, Digital Network JSC. Lots of malware in the family of Alureon associate with URLs in this small netblock.

209.84.29.126 273 (1.13%)

AS3356, Level 3. Looks similar to what we’re seeing on the IP 8.12.206.126 above.

209.205.196.16 286 (1.18%)

AS20228, Pacnet, S.A. de C.V. Lots of random malware, appears to be a free hosting provider in South America that kids are abusing.

216.240.157.91 305 (1.26%)

AS7796, ATMLink. More Renos and Fake Alert stuff associated with the malware we’re analyzing phoning back here.

218.149.84.0/25 251 (1.04%/1.04%)

AS4766, Korea Telecom. Lots of KwSearchGuide Adware associated with this netblock. Lots of EXEs, DLLs, and PHP scripts called here.

Things in 3FN

By: Jose -

I think by this time folks know about the FTC action against 3FN (Triple Fiber Network). Here’s some of the stuff we had tracked there over the years.

3fn_activity_timeline.png

Don’t expect spam to drop to record lows any time soon, but … well done by the FTC.

Classmates dot com Fast Flux Malware

By: Jose -

The Gozi infostealer is running around, this time using new domains and a new lure: a “video invitation from your classmates”. This has been going on all week, too. In an email purporting to be from Classmates.com, you’re told to go look at a web page and join up. To view the video you need to .. you guessed it, download a new Flash player. Don’t worry, they’ll help you out.

please_join_classmates.png

They insist, really!

please_download_adobe10_exe.png

If you don’t “click here” you’ll have it auto-loaded, so don’t worry.

saving_adobe10_exe.png

The domain in use for this past hour, christmasclasses.com, is fast fluxing. If you can, block the hosts via a DNS server or some similar filter.

Via the BFK passive DNS logger we can see one more domain:

ns1.peopleself.com	 A 	91.199.50.211
meeteingchristams.com	 NS 	ns1.peopleself.com
classmatesus.com	 NS 	ns1.peopleself.com

All worth axing.

The malcode you download, “AdobePlayer10.exe”, is a Gozi downloader (note that the MD5 may change):

MD5: ad2d90eb7c91a316e447358f9e6ed5e2
SHA1: 93d8f3af06bb3f80629bdae1abea4504e8f0eb83
File type: application/x-ms-dos-executable
File size: 3177 bytes

AV detection is fair (from VirusTotal). Same basic thing as the Obama malcode from last month:

  • downloads addons2.exe from a fast flux host using the domain name albertonixl.com.
  • sends the Gozi data to a host in AS44997, BTG transit route block.

Our friends at Secure Works have an excellent writeup on Gozi. This threat is not dead.

This BofA Demo Thing Got Big Fast

By: Jose -

The Obama spam and malcode gang is back at it with a new fast flux phishing and malcode ruse. This time it’s a demo from the Bank of America that requires the classic “Flash Upgrade”.

bofa_demo.png

At the peak I was seeing 400 unique URLs for this run an hour. The URLs were unique strings, possibly for tracking purposes or possibly to stress URL blacklists. But, when you look more closely you see they are just a handful of domain names. This is a lot like the Rock Phish of old.

Let’s have a look at the domains and their associated name server via the BFK passive DNS system:

onlineservices777.com	 NS 	ns1.directclieck.com
directclieck.com	 NS 	ns1.directclieck.com
ns1.directclieck.com	 A 	66.197.233.140
ns1.directclieck.com	 A 	208.77.98.103
ieenttio.com	 NS 	ns1.directclieck.com
inyans.com	 NS 	ns1.directclieck.com
frerins.com	 NS 	ns1.directclieck.com
neeunt.com	 NS 	ns1.directclieck.com

So, no more domains at present associated with these name servers.

The malcode download routine is very typical. If you don’t follow the lure, a meta-refresh will get ya.

bofa_demo_src.png

Nothing special here, just the usual crap. Here’s some of the info about one of the samples we saw here:

BASIC INFO:
-----------------------------------------------
FILE TYPE: 	application/x-ms-dos-executable
FILE SIZE: 	3225 bytes
PACKER/S:
FSG v2.0 -> bart/xt
-----------------------------------------------
.
CHECKSUMS:
-----------------------------------------------
MD5: 		2ef0de5993873f26529ac34012eb97d9
SHA1: 		4e9aa725fa887cf65d9f6d1cebbd0a13d48320ab
PEHash: 	a8c73378f9c4a2fb57a5658e09d69bbf4bae0998
-----------------------------------------------

.
A/V INFO:
-----------------------------------------------
SCANNER: VScanner                      VIRUS: Unknown, file is "suspicious"
SCANNER: AVG                           VIRUS: No virus found.
SCANNER: ClamAV                        VIRUS: Trojan.OnlineGames-1517
SCANNER: BDC                           VIRUS: No virus found.
-----------------------------------------------

The malcode is tiny, but downloads hxxp://silviocash.com/usp.exe, aka Paparus or Urlsnif. Driver file, rootkitted, and now the box will send info from IE (ie form data) to the hacker. Owned.

Gary Warner has a nice writeup on his blog worth reading.

Obama Spam Malcode Campaigns

By: Jose -

At least two different malcode campaigns are afoot using the Barack Obama victory in yesterday’s U.S. presidential elections as the theme. They entice you to visit a website and then, oops, you need to download something:

Obama Malcode Spam

Sure enough, that’s a Papras variant. An infostealer, uploads to the Ukraine. Rootkit included.

Some of the domains are using fast flux hosting:

lopbiuemis_com.png

Click to enlarge.

Two, possibly three, different campaigns are afoot. Here are the URLs I’ve seen in my inbox spamtrap today, you can see that these are different styles of URLs suggesting different campaigns:

hxxp://selfservice.demystifying.sitesurvey.rr0nzLn8m.selfservice.customerlogin.1puTDHrOM.vcoenutrmsi.com/
president.htm?/productsremote/slapiservlet/OSL.htm?LOGIN=5RUnWrr0nz&VERIFY=Ln8mxN1puTDHrOM
hxxp://sitesurvey.memberverify.slapiservlet.MsjhYXouh.selfservice.memberverify.Vc5vE3oOC.lopbiuemis.com/
president.htm?/privatelogin/slapiservlet/OSL.htm?LOGIN=S5ZEoMsjhY&VERIFY=XouhveVc5vE3oOC
hxxp://comreportid.verifyonenet.portalserver.c91SJDrOw.slapiservlet.customerlogin.tlFqJUdfI.bfiinwach.com/
president.htm?/onlineupdate/memberverify/OSL.htm?LOGIN=K3IrVc91SJ&VERIFY=DrOwLutlFqJUdfI
hxxp://configlogin.onlineupdatemirror.sitesurvey.B7wAhptoO.securitychallenge.ptcontrol.8dBBSHuMF.wconlinenrue.com/
president.htm?/exacttrget/linkbrowse/OSL.htm?LOGIN=GwXLYB7wAh&VERIFY=ptoOqP8dBBSHuMF
hxxp://ynkkm.ideaever.com/
hxxp://glptiz.ideaever.com/
hxxp://xxbomm.ideaever.com/

And a Spanish-language campaign is afoot, too. Talk about piggy backing the news.

Around the net:

And many others.

Mega-D Botnet or Mega-Confusion?

By: Danny McPherson -

I read this slashdot article over the weekend and was a bit surprised that I hadn’t heard of this Mega-D botnet before. So, I reached out to a few colleagues of mine and asked if they’d heard anything of it – beyond the press release and a slew of obviously derivative works, all to no avail.

Apparently, this all originated with the folks at Marshal, and their TRACE team, and this press release, err…, or was it this press release, or an interview, or…? Anyway, the sexy bit for me wasn’t necessarily that they believe this Mega-D botnet now accounts for 32% of ALL spam, or even that Storm currently accounts for _only 2% of spam — although I do consider these impressive and interest-invoking findings. Rather, most interesting were their assertions that the Storm botnet “seems to be passing”, and interviews speaking of “the Storm worm’s demise”, while an upstart Mega-D has already far-surpassed even Storm’s peak spam generating efforts.

So, the one reply I received from colleagues suggested that perhaps what they’re seeing is actually a partition of Storm, hence the common characteristics.

Note: A botnet partition is essentially a virtualized subset of botnet resources allocated to a ‘customer’ who then makes use of these resources for DDoS, spam, phising, etc. We can think of a botnet partition as somewhat similar to a MVNO in the mobile phone world – essentially, a ‘branded’ operator who’s making use of another carrier’s underlying network infrastructure. So, at first blush, it appears that Mega-D may well be a Botnet Virtual Network Operator – or BVNO – a term coined by Roland Dobbins a short while ago.

This is yet another example of how the online criminal underground have adopted many of the business models and best practices of legitimate enterprises . If that’s the case, then this whole thing is more like saying the lettuce on the sandwich is larger than the lettuce AND the rest of the sandwich.

Lettuce Sandwich

I did reach out to the folks at TRACE, I’m hoping they can share some additional information on their findings. As much as I’d like to see clear skies and the demise of Storm, I suspect it’s not keeling over any time soon. And, as even the TRACE folks suggest, if Storm were indeed ready to pass, there are a slew of anxious beta bots ready to take the alpha helm.

Information Security and NFL Espionage

By: Danny McPherson -

In late January 2007 several NFL-related web sites were hacked, to include www.dolphinsstadium.com and www.miamidolphins.com. Considering the Miami Dolphins stadium was about to host the NFL’s biggest game of the year, Superbowl XLI, this seemed a reasonable enough target. The sites were modified to serve malicious JavaScript code that would compromise victim’s computers, providing a good dose of nastiness to vulnerable clients. Some additional details on the incident are available in this Websense alert.

Over the past several weeks, just as the the 2007-08 NFL regular season comes into full swing, the contents of email boxes everywhere have shifted from being bombarded with e-card Storm malware spam, to yet another NFL-driven social engineering vector, as outlined by our friends at TrendsLabs. And, of course, given that this is employing social engineering vectors, a slightly more inviting version of the spammed malware email has been introduced. In the latter edition, the involved miscreants have got themselves an actual domain name in the included link, rather than an IP address, and replaced most of the text with some nifty graphics, raising the bar from quite obviously malicious to just obviously malicious. Both messages profess to provide unsuspecting users a free game tracking system.

As if this weren’t enough, now fans are being duped by coaches and players themselves.. One of many recent events involves Coach Bill Belichick and his New England Patriots, who last week were punished by the NFL for illegally videotaping defensive signals of their competitors. Now, clearly, they’re not the only ones that have done this, but they are the first to get caught. With the Patriots often being touted as the NFL’s model team, it was sure to disappoint.

And, as you might expect, such behavior is typically followed by considerable additional scrutiny. For example, as discussed here, last season the Green Bay Packers “had issues with a man wearing Patriots credentials who was carrying a video camera on their sideline” and “There also are questions regarding the Patriots’ use of radio frequencies during the game”. There were even reports of untimely audio problems experienced by competing teams, problems that just may have been masterminded by the Patriots.

If the Patriots were able to decode the defensive signals real-time and relay match-ups to their offensive squad on the field via helmet communications systems, surely they’d be capable of adjusting to mismatches and afforded a huge competitive advantage. Else, perhaps at half-time they could train Patriots’ quarterback Tom Brady and team to read the signals themselves, detecting blitzes and the like and adjusting by calling audibles to accommodate.

Interestingly enough, radio communications for defensive signal calling has been voted down again, to include just last year. Now, one might think that if it were approved that this wouldn’t have happened; i.e., filming of competing teams wouldn’t yield defensive signals. Well, perhaps that is the case. Or, perhaps lip readers and body language experts would then be put to use. Or RF interception, or taps or other communications snooping mechanisms, all of which would occur even further behind the scenes.

If I heard the commentators correctly (the television was on in the other room), this evening during the New England/San Diego game the NFL purportedly had scanning gear looking for “stray signals” (whatever those are) and the NY Jets were planning to file something with the league regarding the Patriots having their defensive players miked during earlier games.

The Patriots’ code interception incident got me thinking: If the Denver Broncos are looking for a CISO (or a new field goal kicker), I’m local, so no relocation required. And, well, after today, it’s obvious they’re not spying on anyone.

When Spambots Attack — Each Other!

By: Danny McPherson -

So, you’ve read plenty about when botnets attack. You’ve also seen plenty about when spambots attack, though it’s usually only in the form of spam email flooding in the course of spambot offspring performing the functions for which their creator intended. There’s even been plenty of press about when Botnets Battle Over Turf, attacking each other. So, let’s delve into one example of why that is, and take a terse look at one such set of attacks.

Over the past two days we’ve seen a reasonably large number of attacks in ATLAS that exhibit a common target set, and appear to be traceable to bot on bot attacks, or more interestingly, attacks targeting competitive bot building infrastructure. Based on the data, one might surmise that some of the Storm bot herding folk appear to be perturbed with their MPack brethren automating uninstalls of competitive root kits on compromised assets, in particular that of wincom32.sys (employed by the Storm Worm). I nice explanation of the host-level attributes of these rootkits as it relates to this post is available from the Symantec folks here.

According to Symantec, Trojan.Srizbi, after compromising a host and doing a few nifty things, attempts to connect to URLs on abr.srizhopa.biz or bu.srizhopa.biz in order to download a zip file that contains configuration files to send spam. Given this, if you’re a bot herder and MPack activity as of late has been depressing your bot herds, you might look at this and say, “Hrmm.. You know, if I were to take those srizhopa.biz hosts offline, I might just be able to buy myself some time to tighten things up from an operations perspective, and perhaps even come up with a longer-term plan to counter MPack’s unwarranted virulence”.

So, what next… Well, easy enough, let’s just lookup the IP addresses of abr.srizhopa.biz and bu.srizhopa.biz and have our bots attack them. So, what’d some of this attack traffic look like? Let’s have a gander..

Note: When I first looked at this both these hostnames were mapped to a single IP address, 208.72.168.131, the other targets were correlated via looking at attack flows directed at more than one target.

Over the past 48 hours we saw 85 discrete attacks directed towards three IP addresses that appeared in some way associated with these spambot wars. Attack counts and targets are as follows:

Attacks Target IP Address

41 208.72.168.131/32
32 208.72.168.50/32
12 208.66.194.151/32

All of these attacks were ICMP Ping Floods (40-byte ICMP Echo request packets). The maximum packet per second (pps) from any of these attacks was 91.09 Kpps, the maximum bits per second (bps) from any of these attacks was 43.73 Mbps. Summing the totals of the max_pps and max_bps from each of the attacks in order to quantify their effective scale yields an aggregate max_bps of 1.194 Gbps, and max_pps of 2.484 Mpps. That’s more than enough attack traffic to cause pain for most targets, with a likely result of negative impact to some innocent bystanders as well (aka. collateral damage).

These attacks don’t appear to be spoofed as they exhibit relatively fixed source address sets. They could be easily mitigated by filtering on ICMP Echo Request packets towards the targets, but given the number of attacking sources and the scale of the attacks, such filtering policy would likely need to be implemented well upstream from the targets themselves. In addition, source-based filters are likely implausible in most hardware today, given the large base of unique attack sources observed across the aggregate attack set. So, dropping all ICMP Echo Requests (if possible) towards the targets is the most likely mitigation technique, but could have negative side effects of breaking Ping-based diagnostics tools. The attacks would perhaps be a bit more effective if they weren’t scoped to 40-byte packets, though larger packets would allow for additional attack flow discrimination, enabling more granularity on the mitigation front.

Of course, given that these are bots attacking malware distribution sites, I suspect the miscreants involved on the receiving end of this particular incident aren’t overly keen about talking to their ISPs regarding possible subscription to DDoS mitigation services.

When correlating target data I saw another 15 attacks towards 208.66.194.155 from January 29-30, 2007. These were ICMP Ping flooding attacks as well, and quite likely related to a similar feud.

If you’re wondering, that domain that was hosting the malware distribution sites, srizhopa.biz, is registered to a one “johhnie walker” of “19 avenue drive, New York, 02002″, with, as you may guessed, bogus phone numbers, zip codes, etc..

The good news is that the existence of the srizhopa.biz domain seems to have disappeared completely from DNS over the past day or so, which for the attackers is even more effective than flooding them with attack traffic. For the target, they’ve likely just moved on.

So there you have it, another edition of spamwars and THEIR impact on OUR assets.

AV, how cam’st thou in this pickle?

By: Danny McPherson -

While I’ve seen and heard random spatterings about why AV isn’t effective, or analyst reports from the likes of Yankee declaring “AV is Dead”, there’s been very little qualitative or quantitative study on precisely why. Well, beyond the endless flurry of new malware families and subseqent offspring, that is.. As such, I find myself borrowing from Shakespeare’s The Tempest, and asking: “AV: how cam’st thou in the pickle?”

That’s why I’m pleased some of my colleagues at Arbor, with some co-collaborators at the University of Michigan, published Automated Classification and Analysis of Internet Malware (pdf).

There are basically three main issues with AV in the report:

    • completeness – AV does not provide a complete categorization of the datasets, with AV failing to provide labels for 20 to 62 percent of the malware samples examined in the study
    • consistency – when labels are provided, malware is inconsistently classified across families and variants within a single naming convention, as well as across multiple vendors and conventions
    • conciseness – AV systems provide either too little or far too much information about a specific piece of malware

The authors go on to demonstrate how what something does is more important then what you call it (i.e., behaviors are better than labels). By observing state changes associated with files modified, processes created and network connections, a behavioral fingerprint can be generated for the malware. From there, grouping based on these fingeprints can provide some meaningful output and actionable information.

It’s definitely worth the read…

Go Back In Time →