While monitoring a Russian subterraneous forum recently, we came
opposite a contention about a Trojan for sale that can take credit label
information from machines regulating Windows for financial exchange and
credit label payments. The malware, vSkimmer, can detect a label
readers, squeeze all a information from a Windows machines trustworthy
to these readers, and send that information to a control server. The
author of a thread also discusses other capabilities of this malware,
that appears to be a inheritor of Dexter, though with additional
functions.
We already know about botnets such as Zeus and SpyEye, that perform
financial rascal regulating intensely worldly techniques including
 intercepting a victims’ banking transactions. VSkimmer is another
instance of how financial rascal is actively elaborating and how
financial Trojans are grown and upheld around in a subterraneous
community. This botnet is quite engaging since it directly targets
card-payment terminals regulating Windows.
Our Automated Botnet Replication Framework initial saw this Trojan on
Feb 13. We’ve analyzed  samples of this malware and figured out how it
steals a credit label information and a additional control
functionalities. While behaving a API tracing , we found it uses
sincerely customary antidebugging techniques:
The malware collects a following information from a putrescent appurtenance and sends it to a control server:
- Machine GUID from a Registry
- Locale info
- Username
- Hostname
- OS version
This malware uses a customary designation resource and copies itself as svchost.exe into %APPDATA% , modifies a registry pivotal to supplement itself underneath a certified list of apps, and runs ShellExecute to launch a process. One duty of vSkimmer if a Internet is not accessible is to wait for a USB device with a volume name KARTOXA007Â to be connected to a putrescent appurtenance and to duplicate all a logs with a record name dumz.log and a label info collected from a plant to a USB drive.
I checked by disconnecting from a Internet: The malware enumerated all a drives and combined a record dumz.log in a expostulate with a preceding name.
Extracting credit label information
VSkimmer maintains a whitelisted process, that it skips while enumerating a regulating processes on a putrescent machine.
Once vSkimmer finds any regulating slight not in a whitelist, it runs OpenProcess and ReadProcessMemory to review a memory pages of a slight and invokes a pattern-matching algorithm to compare a unchanging countenance “?[3-9]{1}[0-9]{12,19}[D=\u0061][0-9]{10,30}\??”)” and remove a label info review by a remuneration devices. This is finished recursively for each slight regulating in a putrescent appurtenance and not on a whitelist.
VSkimmer control
Before communicating with a control server, a malware B64-encodes all a appurtenance information collected and appends it to a URI. The encoded fibre follow this format:
- machine guid|build_id|bot_version|Windows_version|Host_name|User_Name
Next, vSkimmer creates a HTTP ask and connects to a control server:
While this malware ran, we saw a following response. Note that a commands are within a cmd /cmd tag.
Once vSkimmer receives a response from a server, it executes a following slight to parse a command:
Because a response from a server during execution was cmdnull/cmd, a malware extracts a 3-byte authority and tries to compare it with a other commands implemented by vSkimmer. First it checks if a authority from a server is “dlx.”
If not, afterwards vSkimmer checks for a “upd” command. These commands exercise a HTTP download and govern (“dlx”) and refurbish of a bot (“upd”), respectively.
As we saw progressing in this post, vSkimmer can also squeeze a Track 2 information stored on a captivating frame of a credit cards. This lane stores all a label information including a label number. (You can review some-more about a Track 2 information format on Wikipedia. The arch information:
- Primary Account Number: a series printed on a front of a card
- Expiration Date
- Service Code: a three-digit number
VSkimmer bot control panel
Here’s a demeanour during a control row of a authority server:
0 comments:
Post a Comment