Dexter Trojan Detected in Online Banking Transactions

- A Case Study
Source: http://gadgets.ndtv.com/internet/news/dexter-trojan-affecting-pos-terminals-in-india-steals-card-information-473573?pfrom=home-otherstories

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Cyber-security sleuths have detected a "black" private information stealing trojan in the Indian online banking transactions space, and have alerted consumers who swipe debit or credit cards at shopping counters to make payments.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

"The common infection vectors for PoS system malwares includes phishing emails or social engineering techniques to deliver the malware, use of default or weak credentials, unauthorized access, open wireless networks along with the methods of installing malware as a part of service," a latest advisory issued to the public by the Computer Emergency Response Team (CERT-India).

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The trojan named "Dexter, black PoS, memory dump and grabber" can acquire seven aliases when infecting a system and once it is successful in breaching the security protocols of a PoS terminal.

Point of Sale (PoS) counters placed at retail terminals after the RBI made it mandatory in December (2014) last year for debit cards holders to punch in their PIN every time they make a purchase.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Modern point-of-sale devices are quite complex. Apart from simply selling stuff (and doing refunds) they may include inventory management, warehousing, financials and so forth.

Such devices actively deploy networking, cloud computing, some are even organized as Software-as-aService (SaaS). This brings a number of information security risks to the POS infrastructure.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

One the major problem is bank card information leak. Standards require it to be encrypted when stored on a hard drive or transmitted through the network. But it might be completely unprotected in the volatile memory of the process working with it. Furthermore it might remain in a RAM for some time after card data processing is finished. This gives cybercriminals an opportunity to steal these data by searching through the RAM of a POS machine.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

BANKING
There are many types of bank cards: credit cards, debit cards, gift cards etc. Modern cards have magnetic stripes or chips that store the card data, which includes security code and bank account number.

Data formats used in the bank cards are defined by ISO/IEC 7813 and 7816 standard. Our observations show that attackers build their search algorithms in accordance with these documents.
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

General Overview and Dataset

POS malware is organized as trojans, except the malicious activities they perform are narrowed down to bank data search in the processes RAM.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

General Overview and Dataset (Contd)

The common malware activities (such as covert launch, anti-forensics, contacting malicious servers or C&C) scrapers workflow includes two essential steps: 1. Process enumeration and memory dumping enumerating the processes of interest and reading their memory into a buffer or dumping into a file. 2. Bank card data search iterating through the buffered/dumped memory for the card information.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The list below shows the samples (and their MD5 hash sums) that were analyzed in this research. Since theres no standard for malware names we specified several.
c43f1be5e71c3cde5f04d4954ab29788 TrojanSpy:Win32/Alinaos.E (Microsoft), Win32/Spy.POSCardStealer.D (ESET) 6f0de63e7831c715e1bff9556777ea55 Backdoor:Wom32/Hesetox.A (Miscrosoft), Infostealer.Vskim (Symantec), Win32/Spy.POSCardStealer.K (ESET) 2d48e927cdf97413523e315ed00c90ab PWS:Win32/Dexter (Miscrosoft) Win32/Poxters.A (ESET) b4f28e51ec62712951ee6292936768c8 Memory dumper from the Visa report 100b5329e32dc033eb5e0523dedf4009 - Infostealer.Bancos (Symantec) a variant of Win32/Spy.POSCardStealer.A (ESET) 7f9cdc380eeed16eaab3e48d59f271aa - TrojanSpy:Win32/Pocardler.A (Microsoft) Infostealer.Reedum (Symantec) Win32/Spy.POSCardStealer.N (ESET)
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Process Enumeration and Dumping

Processes to dump from: sslwg, visad,
micros.ssf.service, capms, pms, ccs, microsmux, visatcp

Blacklisted processes: explorer, chrome, firefox,

iexplore, svchost, smss, crss, wininit, steam, devenv, thunderbird, skype, pidgin, System, winlogon, services, lsass, spoolsv, wcntfy, alg, mscorsvw, ctfmon.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

For each selected process every scraper in our collection does the same thing it calls VirtualQuery and then ReadProcessmemory to dump the process memory into the buffer or file.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Processes blacklist as the ifelse sequence

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Processes blacklist as the global array

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Bank Card Data Search

The most challenging part of a RAM scraper is the search algorithm. In a nutshell, PoS RAM scrapers steal payment data - such as credit card track one and track two data - from the RAM of PoS systems. The payment card industry has a set of data security standards known as PCI-DSS. These standards require end-to-end encryption of sensitive payment data when it is transmitted, received or stored.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Bank Card Data Search (Contd)

This payment data is decrypted in the PoS's RAM for processing, and the RAM is where the scraper strikes. Using regular expression searches, they harvest the clear-text payment data and send that information to rogue callhome servers.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The simplest search algorithm was implemented in Dexter. It looks for = character and then checks 16 bytes before and 20 bytes after it. If all the bytes are ASCII or Unicode digits then check 16 byte sequence (allegedly a card number) with the Luhn algorithm, which is widely used to check the correctness of bank card numbers. Here is the implementation of the Luhn algorithm in the Dexter sample.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

What Is a Trojan?
It is a program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on your hard disk Trojans replicate, spread, and get activated upon users certain predefined actions
With the help of a Trojan, an attacker gets access to the stored passwords in the Trojaned computer and would be able to read personal documents, delete files and display pictures, and/or show messages on the screen

Send me credit card details Here is my credit card number and expire date Send me Facebook account information Here is my Facebook login and profile

Victim in Chicago infected with Trojan

Victim in London infected with Trojan

Attacker

Send me e-banking login info Here is my bank ATM and pincode

Victim in Paris infected with Trojan

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Purpose of Trojans
Delete or replace operating systems critical files
Disable firewalls and antivirus

Generate fake traffic to create DOS attacks

Create backdoors to gain remote access

Download spyware, adware, and malicious files

Infect victims PC as a proxy server for relaying attacks

Record screenshots, audio, and video of victims PC

Use victims PC as a botnet to perform DDoS attacks

Steal information such as passwords, security codes, credit card information using keyloggers

Use victims PC for spamming and blasting email messages

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Indications of a Trojan Attack

CD-ROM drawer opens and closes by itself Abnormal activity by the modem, network adapter, or hard drive

Computer browser is redirected to unknown pages

The account passwords are changed or unauthorized access

Strange chat boxes appear on victims computer

Strange purchase statements appear in the credit card bills

Documents or messages are printed from the printer themselves

The ISP complains to the victim that his/her computer is IP scanning

Functions of the right and left mouse buttons are reversed

People know too much personal information about a victim

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Indications of a Trojan Attack (Contd)

Antivirus is disabled or does not work properly The taskbar disappears Windows color settings change Computer screen flips upside down or inverts

Screensavers settings change automatically

Wallpaper or background settings change

Windows Start button disappears

Mouse pointer disappears or moves by itself

The computer shuts down and powers off by itself

Ctrl+Alt+Del stops working

Repeated crashes or programs open/close unexpectedly

The computer monitor turns itself off and on

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Dexter Trojan
PWS:Win32/Dexter.B is a hazardous and pesky Trojan infection which may facilitate unauthorized access to target users & steal confidential information like login details, password will be revealed to the public. PWS:Win32/Dexter.B is deemed for aggressively affecting users browsing activities by altering the default browser and DNS settings and redirecting victims to irrelevant pages.
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Dexter Trojan (Contd)

PWS:Win32/Dexter.B notably slows down PC performance and interrupts internet connection negatively as its able to take up large amounts of system resources.
PWS:Win32/Dexter.B has the ability to bypass any antivirus removal with its changeable characteristics. Only manual clean can guarantee a complete fix.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Symptoms of Dexter Trojan

Windows Security Center, Windows Firewall or third party firewall software has been disabled:
It allows remote access to compromise your computer by changing your PC system settings, registry settings and files to capture and steal your personal privacy data without any permission. It infects with lots of bundled malware, malicious spyware, adware parasites, and all these harmful PC threats can deep hide in your system, processes, files and folders.
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Countermeasures
Restart your computer and keep pressing F8 key before Windows launches. Use the arrow keys to select the Safe Mode with Networking option, and then hit ENTER key to continue.

Press Ctrl+Alt+Del or Ctrl+Shift+Esc combination to open Windows Task Manager and end suspicious processes. If it does not work, please click the Start button, click the Run option, input taskmgr and press OK. The Windows Task Manager should be open.

Go to Computer Control Panel from Start menu and open Folder Options. Click View and then tick Show hidden files and folders and untick Hide protected operating system files (Recommended). Then press OK.

Tap Windows+R keys together to haul out the Run window, then type in regedit and press Ok. When you have Registry Editor opened, track and delete the following registry values created by PWS:Win32/Dexter.B.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

To know more about these attacks and how to secure your Information Systems become a Certified Ethical Hacker

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.