Professional Documents
Culture Documents
- A Case Study
Source: http://gadgets.ndtv.com/internet/news/dexter-trojan-affecting-pos-terminals-in-india-steals-card-information-473573?pfrom=home-otherstories
Cyber-security sleuths have detected a "black" private information stealing trojan in the Indian online banking transactions space, and have alerted consumers who swipe debit or credit cards at shopping counters to make payments.
"The common infection vectors for PoS system malwares includes phishing emails or social engineering techniques to deliver the malware, use of default or weak credentials, unauthorized access, open wireless networks along with the methods of installing malware as a part of service," a latest advisory issued to the public by the Computer Emergency Response Team (CERT-India).
The trojan named "Dexter, black PoS, memory dump and grabber" can acquire seven aliases when infecting a system and once it is successful in breaching the security protocols of a PoS terminal.
Point of Sale (PoS) counters placed at retail terminals after the RBI made it mandatory in December (2014) last year for debit cards holders to punch in their PIN every time they make a purchase.
Modern point-of-sale devices are quite complex. Apart from simply selling stuff (and doing refunds) they may include inventory management, warehousing, financials and so forth.
Such devices actively deploy networking, cloud computing, some are even organized as Software-as-aService (SaaS). This brings a number of information security risks to the POS infrastructure.
One the major problem is bank card information leak. Standards require it to be encrypted when stored on a hard drive or transmitted through the network. But it might be completely unprotected in the volatile memory of the process working with it. Furthermore it might remain in a RAM for some time after card data processing is finished. This gives cybercriminals an opportunity to steal these data by searching through the RAM of a POS machine.
BANKING
There are many types of bank cards: credit cards, debit cards, gift cards etc. Modern cards have magnetic stripes or chips that store the card data, which includes security code and bank account number.
Data formats used in the bank cards are defined by ISO/IEC 7813 and 7816 standard. Our observations show that attackers build their search algorithms in accordance with these documents.
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The common malware activities (such as covert launch, anti-forensics, contacting malicious servers or C&C) scrapers workflow includes two essential steps: 1. Process enumeration and memory dumping enumerating the processes of interest and reading their memory into a buffer or dumping into a file. 2. Bank card data search iterating through the buffered/dumped memory for the card information.
The list below shows the samples (and their MD5 hash sums) that were analyzed in this research. Since theres no standard for malware names we specified several.
c43f1be5e71c3cde5f04d4954ab29788 TrojanSpy:Win32/Alinaos.E (Microsoft), Win32/Spy.POSCardStealer.D (ESET) 6f0de63e7831c715e1bff9556777ea55 Backdoor:Wom32/Hesetox.A (Miscrosoft), Infostealer.Vskim (Symantec), Win32/Spy.POSCardStealer.K (ESET) 2d48e927cdf97413523e315ed00c90ab PWS:Win32/Dexter (Miscrosoft) Win32/Poxters.A (ESET) b4f28e51ec62712951ee6292936768c8 Memory dumper from the Visa report 100b5329e32dc033eb5e0523dedf4009 - Infostealer.Bancos (Symantec) a variant of Win32/Spy.POSCardStealer.A (ESET) 7f9cdc380eeed16eaab3e48d59f271aa - TrojanSpy:Win32/Pocardler.A (Microsoft) Infostealer.Reedum (Symantec) Win32/Spy.POSCardStealer.N (ESET)
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
For each selected process every scraper in our collection does the same thing it calls VirtualQuery and then ReadProcessmemory to dump the process memory into the buffer or file.
The simplest search algorithm was implemented in Dexter. It looks for = character and then checks 16 bytes before and 20 bytes after it. If all the bytes are ASCII or Unicode digits then check 16 byte sequence (allegedly a card number) with the Luhn algorithm, which is widely used to check the correctness of bank card numbers. Here is the implementation of the Luhn algorithm in the Dexter sample.
What Is a Trojan?
It is a program in which the malicious or harmful code is contained inside apparently harmless programming or data in such a way that it can get control and cause damage, such as ruining the file allocation table on your hard disk Trojans replicate, spread, and get activated upon users certain predefined actions
With the help of a Trojan, an attacker gets access to the stored passwords in the Trojaned computer and would be able to read personal documents, delete files and display pictures, and/or show messages on the screen
Send me credit card details Here is my credit card number and expire date Send me Facebook account information Here is my Facebook login and profile
Attacker
Purpose of Trojans
Delete or replace operating systems critical files
Disable firewalls and antivirus
Steal information such as passwords, security codes, credit card information using keyloggers
Dexter Trojan
PWS:Win32/Dexter.B is a hazardous and pesky Trojan infection which may facilitate unauthorized access to target users & steal confidential information like login details, password will be revealed to the public. PWS:Win32/Dexter.B is deemed for aggressively affecting users browsing activities by altering the default browser and DNS settings and redirecting victims to irrelevant pages.
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Countermeasures
Restart your computer and keep pressing F8 key before Windows launches. Use the arrow keys to select the Safe Mode with Networking option, and then hit ENTER key to continue.
Press Ctrl+Alt+Del or Ctrl+Shift+Esc combination to open Windows Task Manager and end suspicious processes. If it does not work, please click the Start button, click the Run option, input taskmgr and press OK. The Windows Task Manager should be open.
Go to Computer Control Panel from Start menu and open Folder Options. Click View and then tick Show hidden files and folders and untick Hide protected operating system files (Recommended). Then press OK.
Tap Windows+R keys together to haul out the Run window, then type in regedit and press Ok. When you have Registry Editor opened, track and delete the following registry values created by PWS:Win32/Dexter.B.
To know more about these attacks and how to secure your Information Systems become a Certified Ethical Hacker