Slashdot Mirror
Analysis of Dexter Malware Uncovers Mystery Man, and Links To Zeus
chicksdaddy writes "The newly discovered Dexter malware is one of the few examples of a malicious program that targets point of sale terminals, but also communicates, botnet-like, with a command and control infrastructure. According to an analysis by Seculert, the custom malware has infected 'hundreds POS systems' including those operated by 'big-name retailers, hotels, restaurants and even private parking providers.' Now a detailed analysis by Verizon's RISK team suggests that Dexter may be a creation of a group responsible for the ubiquitous Zeus banking Trojan. By analyzing early variants of Dexter discovered in the wild, Verizon determined that the IP addresses used for Dexter's command and control were also used to host Zeus-related domains and several domains for Vobfus, also known as 'the porn worm,' which has been used to deliver the Zeus malware. Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew responsible for the malware. The RISK team linked the domain registration for a Dexter C&C server to an unusual online handle, 'hgfrfv,' that was used to post a number of suggestive help requests ('need help with decrypting a table encrypted with EncryptByKey') in online technical forums, where a live.com e-mail address was also provided. The account name was also linked to a shell account on the outsourcing web site freelancer.com, which lists 'hgfrfv' as an individual residing in the Russian Federation."
You can keep your own systems safe, and even use one-off CC#'s for online purchases, but you can't verify that retailers' POS equipment is clean (you'll probably be tossed out of the store just for asking). When in public use cash. Lets just hope you can trust the ATM's that you use.
So I work at a large grocery store. How do I get my IT department up to date on this issue?. We have been compromised in the past and I have been noticing some strange things showing up on my terminals.
Just look for the Windows icon in the bottom let corner of any of the running terminals. When they're using these POS POS machines, it's invariably the Windows ones that are the problem. They're typically Windows Embedded, but nobody ever turned off all the parts because of the dependencies.
So you'll see it's just a cheap PC, running an old version of Windows, connected across the stores crappy unsecure Wifi which probably talks to the software vendor across the open internet.
So, if you see the Windows logo on the terminal, just pay cash or leave the store, but don't hand your CC over.
Oh, and the same goes for ATMs, the insecure ones are things like Diebolds, and I wish I could find the video of one that crashed, and so somebody started up media player on it and had it play a tune.
http://thetartan.org/2004/3/22/scitech/brokenatmturnedintojukebox
At some point, the manufacturers have to held liable for the incompetence products they put out.
Using Windows for anything that requires security is just stupid!
Putting a Windows server on the internet is a generally accepted "bad idea." Putting a Windows machine onto the internet without being crippled with anti-ware and a multitude of filters is a "bad idea" which invariably still leads to compromises because anti-ware and filters will never be enough.
And someone wants to put Windows into ATMs and POS machines?! And people BUY them?!
"I don't want to live on this planet any more."
im seroius trace hgfrfv on the keyboard.... i swear i think the people who protect our country dont look for the stupidest things.
r
fgh
v
if its not a penis its some other random punch.
this submission is bull... wtf happened to slashdot...
Current history shows Linux doesn't do so well in that role (small wonder you were down modded as a troll erroneous ):
2012:
New Linux Rootkit Emerges:
https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012
"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."
---
'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:
http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/
---
Medicaid hack update: 500,000 records and 280,000 SSNs stolen:
http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444
So, what's dts.utah.gov running everyone?
LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov
What's health.utah.gov running too??
YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov
* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!
===
2011:
KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)
http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised
---
Linux.com pwned in fresh round of cyber break-ins:
http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/
---
Mysql.com Hacked, Made To Serve Malware:
http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware
What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com
---
London Stock Exchange serving malware:
http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware
(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)
---
DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS:
http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers
---
Linux Foundation, Linux.com Sites Down To Fix Security Breach:
http://linux.slashdot.org/story/11/09/11/1325212/linux-foundation-linuxcom-sites-down-to-fix-security-breach
---
Linux's showing in CA's breached recently too? Ok:
> Analysis of Dexter Malware Uncovers Mystery
> Man, and Links To Zeus
I'll bet it's Baby Bowler. It's gotta be Baby Bowler.
Can't wait to see what she, Dexter, and Zeus do when teamed up!
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
Lemme guess...this morning you found a Dunkin Donuts "Buy 1 coffee get 10 free" coupon? ;)
All I can say is that your mode of communication is too erratic to be worth engaging. Reading your posts is a lot like jamming a screwdriver into my eyes.
Source: http://blog.seculert.com/2012/12/dexter-draining-blood-out-of-point-of.html
Lcreation what's that?
It's a hold over from that horrible Hungarian Notation that Win32 coders are famously stuck with (hint: Win32 is still used on 64bit systems, 32 apparently means "not 16 bit").
Careful not to confuse the L prefix here with Long; In this context it means Local.
So if I want to throw detectives off my trail, all I have to do is harvest a bunch of handles from 4chan, Slashdot and Fark to reuse? Good to know. Not that I'd do that, of course. Or use my enemy's handle. Hur hurr.
I stand corrected, it wasn't coffee. It must have been a coupon for Steve's Hand-Crafted Meth Emporium.
what a waste of a trollmod, modtroll
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
You're replying to an AC. How would you know APK asked that question of him?
Speaking of which...I love how EVERY single post that backs up APK by pointing out "avoided questions" that people didn't answer, is posted by an AC,just like APK himself.
Here's a hint, APK: Just because somevody didn't answer your "question" doesn't mean they're avoiding it. Maybe it's just such a stupid, rambling question that it doesn't deserve an answer, or it's so fscking obvious to those of us *without* extreme ADHD that the rest of us assume that it's rhetorical....
"City hall" in German is "Rathaus" Kinda explains a few things......
I didn't run.
If you can wrap your brain around reality for a few minutes, you'll notice that slashdot locks discussions, preventing any new replies after the story's been posted for a few weeks. Not exactly sure how long it is, but it's not forever.
When I went back to read your delusional response to my last post, the discussion was locked, and I couldn't reply.
But that would interfere with your delusions of grandeur, so you'd never admit to it, even if you knew that happened.
Interestingly, nobody else seems to have problems finding the words that I *didn't* put in your mouth, because you *did* actually say them. It's only in your alternate reality that you didn't.
"City hall" in German is "Rathaus" Kinda explains a few things......
Unless APK's/your questions are directed at the entire world (which, given his/your level of delusion, wouldn't surprise me) then who asked the question is completely irrelevant. It's who it was asked *of* that matters, as that was what Mr. AC-defender-of-APK stated.
"City hall" in German is "Rathaus" Kinda explains a few things......
That's a post by an AC, claiming to be APK. That's not somebody defending APK with a logged in account.
Maybe you need to learn to read, rather than me....
"City hall" in German is "Rathaus" Kinda explains a few things......
And you're obviously apk trying (and doing a REALLY poor job) to pretend that you're somebody else that's agreeing with apk.
That's why you never log in, isn't it? Because it would be blatantly obvious if you accidentally posted a "APK asked you a question which you ran away from, STUPID TROLL!" comment under your apk account.
You think this way makes it impossible to tell, but there's only one poster on /. that has your arrogant, abusive posting style, so it's pretty obvious that you're apk, and you're attempting to fake many AC posters that "agree" with you to put on appearances of this mass horde of people that, by agreeing with you, means you must be correct.
So not only are you pathetically faking supporters, demonstrating a perfect example of an appeal to the majority fallacy, but since even in your deluded little world, they're all ACs, you're also committing a false attribution fallacy in your arguments.
Grow up. Nobody really gives a shit what you say. Although you are funny to read sometimes, what with your frothing-at-the-mouth verbiage.....
"City hall" in German is "Rathaus" Kinda explains a few things......
Really? You're still going on about an argument you lost badly nearly a year an a half ago?
Since you keep harping on this insistence that you didn't say something you blatantly did, here are your exact words:
P.S.=> Besides, there isn't a botnet (or even ROOTKIT) I can't deal with effectively for removal anyhow - & I don't use the same tools others do...
Well, @ first I do, & when those fail? Out come the "big guns" in Process Explorer & Recovery Console - & there's nothing I can't "dust" between them... ... apk
They're from this post:
http://it.slashdot.org/comments.pl?sid=2282088&cid=36618008
You directly say you use Process Explorer to get rid of rootkits when other tools fail. It's not even implied. You said it, outright. Maybe you didn't mean it (although I think you did, because instead of clarifying what you said, you've instead tried desperately to state that you didn't, in fact, say it), but there's no question you said it.
So why don't you take your damaged brain back to whatever warped reality you reside in when you're not trolling slashdot, and lick your wounds. Make sure they're all healed, because next time they'll be much deeper.....
"City hall" in German is "Rathaus" Kinda explains a few things......
Oh...I see what you're doing now:
You're changing your claim as to what the debate was about, so in your delusional little world, it looks like you won.
I never said the "indestructible rootkit" was actually indestructible, so claiming that I was wrong when I did is simply a straw man. That's not winning an argument; that's being a douche, which I believe I may have called you at some point.
My problem with your randomly capitalized, scatterbrained posts is that you claimed rootkits (not this particular rootkit, but rootkits in general) could be removed with Process Explorer when other tools fail. Yes, you also included Recovery Console in there, but you stated "removed" with Process Explorer. Afterwards you modified this to be "mopped up" with Process Explorer. (hmmmm... changing the terms of the argument again. Seems to be something you do a lot of. Terrified of losing, maybe?)
You then went on to claim that an partially automated tool that I wrote to do this kind of removal was unnecessary, because your manual method worked. You might as well say that GPS is unnecessary, because you can read a map to figure out where you're going. Or cars are unnecessary, because you can get where you're going on a horse.
This particular rootkit could be removed using your modified method (NOT your original method, mind you), although many can't.
The ONLY rootkits this method can remove are ones that use a windows driver to hide the rootkit components. Boot sector rootkits, BIOS rootkits and more do not use this method for hiding, and CANNOT be removed by your method.
I seem to remember telling you this in the conversation 18 months ago, which you promptly ignored with your "I completely SMOKED some weed...errr...you IN that ARGUMENT!!1!11!eleventy!1!11!!" posts. I'm not going to bother looking it up, because your childish, simpleton arguments are not worth any more of my time.
Pretend you won the debate if you want, and maybe in your universe you did. But in this reality, you were beaten, badly, and you just refuse to admit it.
"City hall" in German is "Rathaus" Kinda explains a few things......
"I didn't run." - by cbiltcliffe (186293) on Thursday December 20, @08:55PM (#42355183) Homepage
This proves QUITE otherwise -> http://slashdot.org/comments.pl?sid=3319303&cid=42360301
Really? How does that "prove" anything, other than you do a lot of acid before you post?
Your barely coherent ramblings cannot possibly prove or disprove anything that goes on outside your own little reality distortion field.
Explain it to the rest of us: How does that post of yours prove that I "ran?"
Don't get into all sorts of other irrelevant, unrelated crap, just answer that simple question.
"City hall" in German is "Rathaus" Kinda explains a few things......
I did, right here -> http://slashdot.org/comments.pl?sid=3319303&cid=42307263 Now, read the subject-line of YOUR POST NOW, you illiterate ignoramus! What post is PARENT to yours & gave it its subject-line?? Mine/that very one!
You really have trouble following a thread, don't you?
The parent post to mine was not your question. It didn't even claim to be you, although, I think it was yours; you just didn't put your name on it, as you wanted it to appear to be someone else who was supporting your asinine arguments.
The post I responded to was this:
The meaning's explicit directed at poster apk replied to. Obviously a question. You're obviously stupid or trolling.
from here:
http://slashdot.org/comments.pl?sid=3319303&cid=42308455
Do you see your name at the end of that post? I don't. I'm pretty sure nobody else does, either. Well...maybe you do, but that would be your reality distortion field at work again.
In fact, it specifically refers to you in the third person, pretty definitively stating that it was NOT written by you.
Regardless of most of the world's opinion of your lack of mental capacity, incoherence, and incessant ramblings, every post in a thread that you've "contributed" to is neither a direct response to you, or a direct attack on you. Sometimes, responses are to people other than you. That's right. I know it's shocking to your ego, but not all human interaction on the planet has you as one of the parties. In fact, the vast, vast majority of it does not involve you at all, despite your best efforts.
"City hall" in German is "Rathaus" Kinda explains a few things......