Slashdot Mirror
Analysis of Dexter Malware Uncovers Mystery Man, and Links To Zeus
chicksdaddy writes "The newly discovered Dexter malware is one of the few examples of a malicious program that targets point of sale terminals, but also communicates, botnet-like, with a command and control infrastructure. According to an analysis by Seculert, the custom malware has infected 'hundreds POS systems' including those operated by 'big-name retailers, hotels, restaurants and even private parking providers.' Now a detailed analysis by Verizon's RISK team suggests that Dexter may be a creation of a group responsible for the ubiquitous Zeus banking Trojan. By analyzing early variants of Dexter discovered in the wild, Verizon determined that the IP addresses used for Dexter's command and control were also used to host Zeus-related domains and several domains for Vobfus, also known as 'the porn worm,' which has been used to deliver the Zeus malware. Verizon also produced some tantalizing clues as to the identity of one individual who may be a part of the crew responsible for the malware. The RISK team linked the domain registration for a Dexter C&C server to an unusual online handle, 'hgfrfv,' that was used to post a number of suggestive help requests ('need help with decrypting a table encrypted with EncryptByKey') in online technical forums, where a live.com e-mail address was also provided. The account name was also linked to a shell account on the outsourcing web site freelancer.com, which lists 'hgfrfv' as an individual residing in the Russian Federation."
You can keep your own systems safe, and even use one-off CC#'s for online purchases, but you can't verify that retailers' POS equipment is clean (you'll probably be tossed out of the store just for asking). When in public use cash. Lets just hope you can trust the ATM's that you use.
Just look for the Windows icon in the bottom let corner of any of the running terminals. When they're using these POS POS machines, it's invariably the Windows ones that are the problem. They're typically Windows Embedded, but nobody ever turned off all the parts because of the dependencies.
So you'll see it's just a cheap PC, running an old version of Windows, connected across the stores crappy unsecure Wifi which probably talks to the software vendor across the open internet.
So, if you see the Windows logo on the terminal, just pay cash or leave the store, but don't hand your CC over.
Oh, and the same goes for ATMs, the insecure ones are things like Diebolds, and I wish I could find the video of one that crashed, and so somebody started up media player on it and had it play a tune.
http://thetartan.org/2004/3/22/scitech/brokenatmturnedintojukebox
At some point, the manufacturers have to held liable for the incompetence products they put out.
So I work at a large grocery store. How do I get my IT department up to date on this issue?. We have been compromised in the past and I have been noticing some strange things showing up on my terminals.
If your IT department isn't already on top of it, you have much bigger problems.
Restore the madness of youth's lechery
im seroius trace hgfrfv on the keyboard.... i swear i think the people who protect our country dont look for the stupidest things.
r
fgh
v
if its not a penis its some other random punch.
this submission is bull... wtf happened to slashdot...
Current history shows Linux doesn't do so well in that role (small wonder you were down modded as a troll erroneous ):
2012:
New Linux Rootkit Emerges:
https://threatpost.com/en_us/blogs/new-linux-rootkit-emerges-112012
"A new Linux rootkit has emerged and researchers who have analyzed its code and operation say that the malware appears to be a custom-written tool designed to inject iframes into Web sites and drive traffic to malicious sites for drive-by download attacks. The rootkit is designed specifically for 64-bit Linux systems."
---
'FIRST ever' Linux, Mac OS X-only password sniffing virus spotted:
http://www.theregister.co.uk/2012/08/29/linux_mac_trojan/
---
Medicaid hack update: 500,000 records and 280,000 SSNs stolen:
http://www.zdnet.com/blog/security/medicaid-hack-update-500000-records-and-280000-ssns-stolen/11444
So, what's dts.utah.gov running everyone?
LINUX (and yes, it got HACKED) -> http://uptime.netcraft.com/up/graph?site=dts.utah.gov
What's health.utah.gov running too??
YOU GUESSED IT: LINUX AGAIN -> http://uptime.netcraft.com/up/graph?site=health.utah.gov
* Ah, yes - see the YEARS OF /. "BS" FUD is CRUMBLING AROUND THE PENGUINS EARS HERE & 2012's starting out just like 2011 did below!
===
2011:
KERNEL.ORG COMPROMISED - The Cracking of Kernel.org: (that's VERY bad - do you trust it now?)
http://linux.slashdot.org/story/11/08/31/2321232/Kernelorg-Compromised
---
Linux.com pwned in fresh round of cyber break-ins:
http://www.theregister.co.uk/2011/09/12/more_linux_sites_down/
---
Mysql.com Hacked, Made To Serve Malware:
http://it.slashdot.org/story/11/09/26/2218238/mysqlcom-hacked-made-to-serve-malware
What's that site running? You guessed it - Linux -> http://uptime.netcraft.com/up/graph?site=mysql.com
---
London Stock Exchange serving malware:
http://slashdot.org/submission/1484548/London-Stock-Exchange-Web-Site-Serving-Malware
(I mean hey - NOT ONLY DID LINUX FALL FLAT ON ITS FACE less than a few minutes into the job http://linux.slashdot.org/story/11/02/19/0147232/London-Stock-Exchange-Price-Errors-Emerged-At-Linux-Launch, & crash not only ONCE, but TWICE there? You see "Linux 'fine security'" in motion @ the LSE too!)
---
DUQU ROOTKIT/BOTNET BEING SERVED FROM LINUX SERVERS:
http://it.slashdot.org/story/11/11/30/1610228/duqu-attackers-managed-to-wipe-cc-servers
---
Linux Foundation, Linux.com Sites Down To Fix Security Breach:
http://linux.slashdot.org/story/11/09/11/1325212/linux-foundation-linuxcom-sites-down-to-fix-security-breach
---
Linux's showing in CA's breached recently too? Ok:
Quite familiar with Diebold ATMs. I spent a few of years in the ATM industry where I learned all kinds of things I was better off not knowing.
The short here is that business people are invariably interested in rapid development and deployment. Those tools are most available under Windows. "Rapid development." Really? And rapid deployment too? Sounds like they would rather not bother with testing and QA.
And using the internet as transport? Back in the day, they used POTS... some still do. (yeah... dialtone generators and devices that answer "yes" to every transaction... one of the first tools I was exposed to when "troubleshooting" an ATM.) It's beyond stupid. But that's the thing. Business does not understand technology and so they love to imagine that since THEY can't understand it, neither can those 'stupid criminals' so they're safe right? One of the biggest problems is these geniuses trust brand names more than people. Another is that they simply do not know what they do not know. You can try to tell them, but they just read it as an attack or an insult.
Lemme guess...this morning you found a Dunkin Donuts "Buy 1 coffee get 10 free" coupon? ;)
All I can say is that your mode of communication is too erratic to be worth engaging. Reading your posts is a lot like jamming a screwdriver into my eyes.
So if I want to throw detectives off my trail, all I have to do is harvest a bunch of handles from 4chan, Slashdot and Fark to reuse? Good to know. Not that I'd do that, of course. Or use my enemy's handle. Hur hurr.