High Level Coding Language Used To Create New POS Malware

An anonymous reader writes: A new malware framework called ModPOS is reported to pose a threat to U.S. retailers, and has some of the highest-quality coding work ever put into a ill-intentioned software of this nature. Security researchers iSight say of the ModPOS platform that it is 'much more complex than average malware'. The researchers believe that the binary output they have been studying for three years was written in a high-level language such as C, and that the software took 'a significant amount of time and resources to create and debug'.

High level?

C is a high level coding language now?

I guess contrasted with the way that one guy in last week's Q&A asked Brian Kernighan about "low level languages like Haskell" ?

Re:High level?

[GrumpySteen]

C is a high level coding language now?

Depends on how old you are.

Re:High level?

[pr0fessor]

I'm guessing it depends on how much inline assembly you have mixed into it as to whether it's really abstracted.

Re:High level?

[hey!]

Speaking as someone who learned C in 1980, C was originally thought of as a low-level language -- a suitable replacement in most cases for assembly language that, while abstracting underlying details like the CPU instruction set and registers, remained relatively small and "close to the hardware". Then later 80s I was asked to take over a course on C, and when I looked at the course description I was surprised to see it described as a "high level language". I asked the person who wrote the description what he meant by "high level language", and he really had no idea. He said he meant it was "powerful", which of course is just as vague when comparing any two Turing equivalent languages.

Of course "high level" vs. "low level" is relative. C is "high level" in comparison to assembly, or "B", in which the only datatype was a computer word. On the other hand C "low level" in comparison to most other languages that hide away the details of the hardware like instruction set and registers and such. So it depends on what you're comparing to; but in general I think people who describe C as "low level" know more about what they're talking about than those who call it a "high level" language.

The important thing isn't whether C is "high" or "low" level; it is what makes C work, which is largely about what was left out. It didn't have all the bells and whistles of something like PL/1, which made the language easy to implement, even on a tiny 8 bit microcomputer, and easy to learn, in the form of a slim, almost pamphlet-like book (The C Programming Language, 1st edition was 228 paperback-sized pages long).

Even so, C has become very slightly more "higher level" over the years. The original K&R C was more weakly typed than the later ANSI C. Particularly when you were dealing with pointers, the declared type of a pointer in K&R C was more of a mnemonic aid to the programmer than anything else.

Re:High level?

It's TheStack press SEO hype-up. The usual from 3-paragraph journalists these days.

Re:High level?

[flopsquad]

C is a high level coding language now?

I write all my malware in assembly, you insensitive clod!

Re:High level?

[bcothran]

Yeah I stick to my low level Visual Basic... It's so complicated at this level, I wonder what a higher level language feels like?

Re:High level?

Well, assuming old people are incapable of renormalizing their biases once they've become obsolete, then sure.

Well, assuming young people don't have a clue...

Hint 'We already knew that'

From an old obsolete fart!

Re:High level?

I've always considered assembly to be low level, things like C to be mid level, and compiled languages that run in VMs such as C# and java to be high level, with python, JS etc being scripting languages. But hey, that's just my opinion and it's probably as valid as anybody elses classification of languages.

Re:High level?

[michelcolman]

I thought up to now we were relatively safe from hackers because they were all just mucking around with assembler and stuff. But now it turns out these guys have evolved and taken things to a whole new level by using the high level programming language C! That's totally unheard of, that kind of cutting edge technology was always thought to be beyond the abilities of malware programmers, all bets are off now!

Re:High level?

I don't usually say "THIS" but when I do...

That sums up exactly what I was going to reply, probably close to similar verbiage. I scrolled down and I don't need to. I think I might have put bash and Perl as mid-level but that's more for what they are generally used for than for any other reason. So, your opinion isn't entirely unique and I'm inclined to agree.

Heh

Someone used a general-purpose programming language such as C to fulfill a particular purpose. By the way, it happened that they did this well. Newsworthy!

I know there are no editors here, but...

a ill-intentioned software

Software is a mass noun, and "a" become "an" before vowels.

Re:I know there are no editors here, but...

An before a word with a vowel SOUND, not before a word starting with a vowel. Weird. I before E except after...well, weird.

Re:I know there are no editors here, but...

You missed the first part of what was said. Neither "a" or "an" should be present, simply "ill-intentioned software".

Re:I know there are no editors here, but...

So in your English, "ill" starts with a silent "i"?

Re:I know there are no editors here, but...

[konohitowa]

No. In his English he is capable of comprehending the use of the indefinite article. Hint: it's not necessary in that particular instance. Apparently your an English has a different rules.

High level or low level?

Usually C is referred to as a "low level" language.

Re:High level or low level?

[ole_timer]

Not to iDefense, er, iPartners, or whoever they are now.

Re:High level or low level?

The "level" refers to the level of abstraction away from how the underlying machine operates, it's an inherently relative concept. Relative to the "binary output they have been studying for three years" C is indeed a high level language.

Re:High level or low level?

As opposed to the usual malware written by script-kiddies in pure machine code?

Re:High level or low level?

> Usually C is referred to as a "low level" language.

Only by clueless people who don't know what a "low level" language is. Pointers don't make a language "low level."

I'll give you a hint: if it has variables, data types, data structures, loop and subroutine statements, it ain't low-level.

What's Unusual?

So, skilled programmers write a program in C. Isn't that done daily by the thousands?

Re:What's Unusual?

Millions me thinks.

Re:What's Unusual?

No. Skilled programmers don't use C.

Re:What's Unusual?

[SQLGuru]

I'd probably stick to thousands......there are some programmers out there that really aren't that skilled.....at least not in programming.....cut and paste, maybe.

Re:What's Unusual?

[bjb_admin]

I have a name for them, Google search programmers.

Re:What's Unusual?

[plover]

This new piece of malware shows sophistication of design, but that's not unheard of. Older malware was often customized by compile time switches and definitions; this just abstracts some of that away.

Many people (i.e. journalists and managers) think of malware authors as pimple-faced script kiddies hacking in their mothers' basements. They think that large, well-designed projects require teams of skilled developers who would only do so for a fat paycheck.

What's happened now is that vulnerabilities are so profitable that the threat landscape is no longer the exclusive domain of the single hacker - criminal gangs want a piece of it. They can afford to pay team salaries to engineer a solution.

And malware authors have learned to avoid the biggest risks of getting caught. In the old days a virus writer would also be the distributor. Modern authors get paid by selling their exploit code, along with customization and support contracts, to gangs of attackers. The attackers take on the risks, the developers collect fat checks. In some cases of vertical attacks (ATM skimmers for example), the "owner" of the malware uses cryptography to encrypt the skimmed data, preventing the low-level attackers from profiting from the stolen data. The profits go to the top first, and the paychecks cascade down (assuming honor among thieves.)

So what's newsworthy here is that they believe this malware to be further evidence of a new breed of well organized criminal software developers.

Re:What's Unusual?

I'm curious, is it any better than if they search books for that info? And if that is better, fundamentally, what makes it better looking it up in a book than on google? Is the problem just that google is more efficient?

Personally I find the problem to be with people who use code without understanding what that code does, regardless of if they found it in a book or on google.

Re:What's Unusual?

I think the big problem is that a Google search programmer will create whatever useless stuff the customer wants for a fraction of the cost.
That makes it bad, for him at least.

Re:What's Unusual?

And if that is better, fundamentally, what makes it better looking it up in a book than on google?

Hopefully there's less chance that the code you find in a book was written by some random idiot who had no idea what they were doing. But maybe I'm just optimistic.

Re:What's Unusual?

[rtb61]

However standard practice for skilled computer criminals is to release their programs to script kiddies, so that the many script kiddie attacks will help to obfuscate a hide the organised crime attacks.

This would seem to indicate that programs that contain encrypted elements might well have to be banned as it will make much easier for security programs to simply block the installation of all programs that contain encrypted elements, that the user is blocked from checking with a security program.

High level coding language?

In what world is "someone wrote malware in C" remotely attention-worthy?

C != high level

Since when is C a high level language?

Re:C != high level

Since it wasn't machine code or assembly language. Anything that needs a compiler is, by definition, a high-level language.

Interpreted languages and intermediary languages don't rank on this scale at all. They're far above the definition of high-level.

Seriously, doesn't anybody teach this stuff in Introduction to Computer Shit 101 anymore?

Re:C != high level

Well, sure, if you are using the term "high level language" as binary qualifier. But then, it wouldn't really be that noteworthy. Why even point out that it was written in C? A lot of malware is written in a lot of high level languages, all day every day. They make it sound like this is some dissertation-worthy elegance of the highest order, when it sounds to me like something not worthy of an article.

Re:C != high level

What? Interpreted languages and intermediary languages? Talk about a gray area in terminology. What ever gave you the idea that these are not considered high-level? Next time I will check with you for exactly what scale it is you are using to rank languages. Meanwhile I will exist in the real-world, where "high-level" refers to "a high degree of abstraction from machine language". C qualifies, minimally, being basically higher level than assembly. Since one is still concerned fundamentally with memory addresses and register access, it is still very much "low-level" in a very meaningful (and ubiquitous) sense of the term.

Thanks for mentioning CS101, though, it adds to the (already overwhelming) evidence that this is where your formal education began and ended.

Re:C != high level

The computing landscape has changed considerably since the term "high-level language" was coined.

We have lots of intermediate constructs now. Is JVM bytecode a "high-level language" because it's interpreted? I wouldn't call it that.

K&R described C as a "not very high-level language." I think of HLLs as having abstractions built into the syntax and semantics. The more abstraction, the "higher-level" it is.

I Would Guess POS Means

point of sale but in fact, piece of shit would be appropriate.

C is high level?

[Dutch+Gun]

I think they're misusing the term "high level" when it comes to programming languages. I suspect what they're trying to get at is that it's sophisticated and competently coded.

I wonder why they assume it's C and not C++, incidentally, since they're presumably looking at decompiled assembly? I haven't done much C vs C++ side-by-side analysis of the two... is there an obvious difference in the generated assembly? I guess maybe v-table structures would point to C++, where C programmers likely wouldn't invent such constructs.

Re:C is high level?

[vux984]

is there an obvious difference in the generated assembly?

There would be in most projects that were not outright trying to obscure they were using C++.

Its been a while since I looked at disassembled code, but you used to be able to easily tell what compiler and even version of that compiler was used just from the boilerplate setup code; the way things were 'arranged', exception handlers etc, and obviously library usage was frequently a dead giveaway. Your not going to see a either an iostream or an STL container in a C program.

Re:C is high level?

Nah, "high level programming language" just means it's not machine specific. x86 machine code and assembly are low level languages. C is high level. Python and Java are even higher level. At the binary level, the most obvious sign it's C and not C++ is that function names get mangled in C++ but not in C. Linkage for class methods are different from regular functions as well.

Re:C is high level?

[Dutch+Gun]

I've always heard C referred to as "mid-level".

Also, good point about the name mangling differences. Totally forgot about that. I have little reason to dip down into assembly these days - and in fact, I've never really studied C-generated assembly at all.

Re: C is high level?

[ljw1004]

C and C++ look radically different when reverse engineering their assembly. Like, it's easy to reverse engineer C and much harder to do C++ without symbols. The allocators they call are different. Folk seem to use more heap allocation in C++. More calls in C++.

At least, that's what I assume is going on. Some things I reverse engineer easily in hours. Other things it takes me days before I give up. I believe this difference comes from C vs X++

Re:C is high level?

[phantomfive]

I haven't done much C vs C++ side-by-side analysis of the two... is there an obvious difference in the generated assembly

Huge differences.....the most obvious are the function names (which are compiled into a binary) being mangled. The C++ name mangling will turn "strcmp" into "__1cGstrcmp6Fpkc1_i_" or something similar (it's not standard by compiler). The parameters types are encoded in the name, so the compiler can know which function to call when the functions are overloaded.

Re:C is high level?

[Xenna]

Exactly. And this is another gem:

  'much more complex than average malware'

I would never hire a programmer that would pride himself on the complexity of his software. That's probably the reason the poor slob had to turn to malware to make a buck.

Re:C is high level?

[tehcyder]

Exactly. And this is another gem:

'much more complex than average malware'

I would never hire a programmer that would pride himself on the complexity of his software. That's probably the reason the poor slob had to turn to malware to make a buck.

I think you're confusing 'complexity' with '(unnecessary) complication'.

If something is complex, you can't simplify it without losing information: if something is (unnecessarily) complicated, then you can.

Judging from the article...

WTF? He seems to think C is a high level language and he judges the code "High Quality".

Where are these morons coming from, Visual Basic?

We ALL know real programmers use Assembly.

He doesn't know shit from apple butter.

In other news "Apple Butter" is the new high level language.

'fortune | cowsay'

why is this news?

So a very common programming language is used to write a virus: why is this news?

Re:why is this news?

[Hognoxious]

I don't know, but earlier today they'd discovered that an old mechanical computer is in fact a mechanical computer and it's probably quite old.

Is C so rare in Malware...

[cant_get_a_good_nick]

that you need to call it out?

With everything going modular these days, I'm sure there's a lot of hand written assembly exploit code that then pulls down modules likely written in C. Not that it's good or bad, just odd to call it out.

Re:Is C so rare in Malware...

that you need to call it out?

Yes. It needs to be called out. C is being used to code malware now. The terrorists will use malware. Therefore, we must ban usage of C everywhere, to stop the terrorists. Long live VB!

Re:Is C so rare in Malware...

[cant_get_a_good_nick]

Have you SEEN Kernighan and Ritchie? BEARDS i say

Terrorists.

High Quality Coding Work?

With paths like this embedded in the binaries, I'd question that statement:

c:\MyProjects\newplugs\lsass\release\lsass.pdb

High Level Editors Used to Create POS Blog Site

[xxxJonBoyxxx]

High Level Editors Used to Create POS Blog Site Called "SlashDot"

FTFY

Re:High Level Editors Used to Create POS Blog Site

Slashdot a POS site?

I can't argue with that one.

It would be ironic

[Ukab+the+Great]

If the state of software engineering has arrived at the point that so many honest-work programmers are being forced to spend so much time writing quick and dirty garbage to get them past the next sprint that, in order to have a job writing good clean code, they have to go black hat.

Re:It would be ironic

[DigiShaman]

Regardless of the zeitgeist of how ruthless the IT industry intrinsically is, we're all held accountable to our own actions. If you go black hat, nothing *made* you do it. The correct response would be to find another occupation entirely; even if that means digging ditches.

Re:It would be ironic

[MarkvW]

Good luck trying to project that moral reasoning onto others.

Re:It would be ironic

Yes, Sartre, we are fully aware that we can always choose to kill ourselves.

Or less hyperbolistically, we can always choose a worse path, like spending another 4 years and the retirement savings to get schooled in a job that pays half as much. Anyone can do that. Show me a better choice.

Re:It would be ironic

[dilvish_the_damned]

Yes, Sartre, we are fully aware that we can always choose to kill ourselves.

Or less hyperbolistically, we can always choose a worse path, like spending another 4 years and the retirement savings to get schooled in a job that pays half as much. Anyone can do that. Show me a better choice.

I can only surmise that you were not speaking to the morality of the choice and by worse you mean less profitable, and by better you mean more profitable.

So as asked, this may be an option that does not require 4 years, a retirement account, and likely will pay better than half as much. You won't even be forced to write high grade malicious code. By some accounts this could be a better choice.

I don't know who makes these decisions for you, but they may force you to attend WGU depending on how much your making now. Or perhaps you make these choices yourself and this was just hyperbole?

linux based POS

[roman_mir]

One of the benefits and reasons why we build Linux based systems for retail chain management, store management, supply chain management, e-commerce and such is ability to secure against these types of attacks better. Beyond that we came up with a new way of protecting credit card information by tying it to the location of the user's phone, but we are not a nominal 'fintech' and those guys are too hard to approach (for now at least).

Re:linux based POS

Ah yes, roman_mir's mighty software empire that nobody ever uses.

Gun analogy

[Dareth]

C is a high level language, like a 9 mm handgun round is high velocity ammunition.

Re:Gun analogy

[ColdWetDog]

Sure, but they both hurt like hell when you shoot yourself in the foot with them.

Some people still contrast HLL with assembly

[tepples]

Until you find an emulator developer who complains that the emulator in a Nintendo product "is incredibly inefficient, written in HLL code, developed by somebody whom knew nothing about emulation nor about ARM nor about Z80/8080 processors." (This refers to C, as early C compilers targeting this product generated inefficient code.) Also a reset mechanism in Nintendo DS hardware "allows the NDS7 debugger to capture accidental jumps to address 0, that appears to be a common problem with HLL-programmers, asm-coders know that (and why) they should not jump to 0."

Re:Some people still contrast HLL with assembly

[angel'o'sphere]

there is nothing wrong in jumping to $0000 if there is code to execute ... no idea what you want to say with your assembly print outs on that web page, though.

Re:Some people still contrast HLL with assembly

[MountainLogic]

Who bothers with emulators? I just transcompile the GameBoy code by parsing the machine code into C and then compiling the parsed output on the target hwrdware with a native C complier. Much more efficient (10x) over emulators.

Redundant: POS Malware

[sconeu]

By definition, if it's malware, it's a POS. Even if it's written well.

Re:Redundant: POS Malware

Damn! You beat me to it!

Re:Redundant: POS Malware

[angel'o'sphere]

POS used to mean "point of sales", what does it mean now?

Re:Redundant: POS Malware

[sconeu]

Piece of Shit

Re:Redundant: POS Malware

And I dare say it's meant Piece of Shit for much longer than it meant Point of Sale.

Re:Redundant: POS Malware

[angel'o'sphere]

Ah, rofl, thanx.

Just in: must ban high level languages

They can be used by criminals to cause harm and thus must be banned immediatley.
Except to teach girls to code. Sigh

High level languages...

Sorry, but I don't consider C, C++, or even Java to be "high level languages". I expect way more abstraction from a high level language. Yes, I know, Java does abstract you away from the hardware and attempts to give you "run anywhere", but realistically, if you take away all the frameworks and just use native Java, it is NOT high level.

You want a high level "language" use a 4GL like PL/SQL, Wavemaker, or heck even PowerBuilder.

If you have to write "plumbing" code, it is by definition NOT high level.

https://en.wikipedia.org/wiki/Fourth-generation_programming_language#Examples

If you want to go even higher use a 5GL, but unless you're doing AI, a 4GL is where you want to be.

Re:High level languages...

Well, maybe because every time you add more abstraction in a new language, the "level" increases, so languages that were "high level" 20 years ago are now "mid-level."

In any case, C, C++ and Java are all definitely "high level languages" in the original meaning of the term.

Apparently It's A Non-story

Since this malware was such a POS, it did no damage.

Re:POS is for cows.

[ColdWetDog]

Do you mind going back to posting in the Federal Register where your comment makes some sense?

*an ill-intentioned

Honestly, is it so hard to proofread three lines of writing?

Re:*an ill-intentioned

It wouldn't be, if it were the case that anyone proofreads anything anymore.

Sophisticated malware platform ..

[nickweller]

What Operating system does this sophisticated malware platform run on?

Re:Sophisticated malware platform ..

[AHuxley]

The idea seems to be hinted at in https://thestack.com/security/...
"even EMV/Chip-and-pin are unlikely to protect affected systems. In such cases, the report says ‘ModPOS and other malware with RAM scraping techniques can still gain access to card data. Criminals can then reuse card data, even from EMV cards, to make online (card-not-present) transactions.’"

Re:Sophisticated malware platform ..

[Dutch+Gun]

Given the use of .pdb files they mentioned, which is an MS-specific debug symbol format (as far as I know), it suggests the use of Visual Studio, and that in turn suggests the code is possibly targeting embedded Windows.

Just a guess, of course.

Re:Sophisticated malware platform ..

[nickweller]

You most probably guessed right, if it was OS X, Android or Linux it would be in the headline, instead of the weazly sounding POS malware.

Bad code in any language

[edtice1559]

Just shows that if you don't have the skills, code you write even in C# will still be a POS. Oh wait.

Comment removed

[account_deleted]

Comment removed based on user account deletion

names are stripped

Is it not common knowledge among slashdolts that debugging symbols are an option, not required? Functions are not first-class in C or C++, so the linker and compiler use decorated names, but the vtables that result don't do *runtime* dispatch between *overloaded* functions - the parameter list and name uniquely identify those for the compiler and linker.

signal to noise getting precariously low here, maybe it's time to stay soy and drop the dice...

Re:names are stripped

[phantomfive]

You can strip a lot of that stuff out, but you'd be surprised how many people don't bother. The function names for shared libraries won't be stripped out, though, and shared libraries get called a lot in typical software.

OMG

OMFG a high level language! What in the world will we do

Pos?

[barbariccow]

Somebody coded another piece of shit malware?