High Level Coding Language Used To Create New POS Malware

An anonymous reader writes: A new malware framework called ModPOS is reported to pose a threat to U.S. retailers, and has some of the highest-quality coding work ever put into a ill-intentioned software of this nature. Security researchers iSight say of the ModPOS platform that it is 'much more complex than average malware'. The researchers believe that the binary output they have been studying for three years was written in a high-level language such as C, and that the software took 'a significant amount of time and resources to create and debug'.

High level?

C is a high level coding language now?

I guess contrasted with the way that one guy in last week's Q&A asked Brian Kernighan about "low level languages like Haskell" ?

Re:High level?

[GrumpySteen]

C is a high level coding language now?

Depends on how old you are.

Re:High level?

[pr0fessor]

I'm guessing it depends on how much inline assembly you have mixed into it as to whether it's really abstracted.

Re:High level?

[hey!]

Speaking as someone who learned C in 1980, C was originally thought of as a low-level language -- a suitable replacement in most cases for assembly language that, while abstracting underlying details like the CPU instruction set and registers, remained relatively small and "close to the hardware". Then later 80s I was asked to take over a course on C, and when I looked at the course description I was surprised to see it described as a "high level language". I asked the person who wrote the description what he meant by "high level language", and he really had no idea. He said he meant it was "powerful", which of course is just as vague when comparing any two Turing equivalent languages.

Of course "high level" vs. "low level" is relative. C is "high level" in comparison to assembly, or "B", in which the only datatype was a computer word. On the other hand C "low level" in comparison to most other languages that hide away the details of the hardware like instruction set and registers and such. So it depends on what you're comparing to; but in general I think people who describe C as "low level" know more about what they're talking about than those who call it a "high level" language.

The important thing isn't whether C is "high" or "low" level; it is what makes C work, which is largely about what was left out. It didn't have all the bells and whistles of something like PL/1, which made the language easy to implement, even on a tiny 8 bit microcomputer, and easy to learn, in the form of a slim, almost pamphlet-like book (The C Programming Language, 1st edition was 228 paperback-sized pages long).

Even so, C has become very slightly more "higher level" over the years. The original K&R C was more weakly typed than the later ANSI C. Particularly when you were dealing with pointers, the declared type of a pointer in K&R C was more of a mnemonic aid to the programmer than anything else.

Re:High level?

[flopsquad]

C is a high level coding language now?

I write all my malware in assembly, you insensitive clod!

Re:High level?

[bcothran]

Yeah I stick to my low level Visual Basic... It's so complicated at this level, I wonder what a higher level language feels like?

Re:High level?

[michelcolman]

I thought up to now we were relatively safe from hackers because they were all just mucking around with assembler and stuff. But now it turns out these guys have evolved and taken things to a whole new level by using the high level programming language C! That's totally unheard of, that kind of cutting edge technology was always thought to be beyond the abilities of malware programmers, all bets are off now!

Re:High level or low level?

[ole_timer]

Not to iDefense, er, iPartners, or whoever they are now.

C is high level?

[Dutch+Gun]

I think they're misusing the term "high level" when it comes to programming languages. I suspect what they're trying to get at is that it's sophisticated and competently coded.

I wonder why they assume it's C and not C++, incidentally, since they're presumably looking at decompiled assembly? I haven't done much C vs C++ side-by-side analysis of the two... is there an obvious difference in the generated assembly? I guess maybe v-table structures would point to C++, where C programmers likely wouldn't invent such constructs.

Re:C is high level?

[vux984]

is there an obvious difference in the generated assembly?

There would be in most projects that were not outright trying to obscure they were using C++.

Its been a while since I looked at disassembled code, but you used to be able to easily tell what compiler and even version of that compiler was used just from the boilerplate setup code; the way things were 'arranged', exception handlers etc, and obviously library usage was frequently a dead giveaway. Your not going to see a either an iostream or an STL container in a C program.

Re:C is high level?

Nah, "high level programming language" just means it's not machine specific. x86 machine code and assembly are low level languages. C is high level. Python and Java are even higher level. At the binary level, the most obvious sign it's C and not C++ is that function names get mangled in C++ but not in C. Linkage for class methods are different from regular functions as well.

Re:C is high level?

[Dutch+Gun]

I've always heard C referred to as "mid-level".

Also, good point about the name mangling differences. Totally forgot about that. I have little reason to dip down into assembly these days - and in fact, I've never really studied C-generated assembly at all.

Re: C is high level?

[ljw1004]

C and C++ look radically different when reverse engineering their assembly. Like, it's easy to reverse engineer C and much harder to do C++ without symbols. The allocators they call are different. Folk seem to use more heap allocation in C++. More calls in C++.

At least, that's what I assume is going on. Some things I reverse engineer easily in hours. Other things it takes me days before I give up. I believe this difference comes from C vs X++

Re:C is high level?

[phantomfive]

I haven't done much C vs C++ side-by-side analysis of the two... is there an obvious difference in the generated assembly

Huge differences.....the most obvious are the function names (which are compiled into a binary) being mangled. The C++ name mangling will turn "strcmp" into "__1cGstrcmp6Fpkc1_i_" or something similar (it's not standard by compiler). The parameters types are encoded in the name, so the compiler can know which function to call when the functions are overloaded.

Re:C is high level?

[Xenna]

Exactly. And this is another gem:

  'much more complex than average malware'

I would never hire a programmer that would pride himself on the complexity of his software. That's probably the reason the poor slob had to turn to malware to make a buck.

Re:C is high level?

[tehcyder]

Exactly. And this is another gem:

'much more complex than average malware'

I would never hire a programmer that would pride himself on the complexity of his software. That's probably the reason the poor slob had to turn to malware to make a buck.

I think you're confusing 'complexity' with '(unnecessary) complication'.

If something is complex, you can't simplify it without losing information: if something is (unnecessarily) complicated, then you can.

Re:High level or low level?

The "level" refers to the level of abstraction away from how the underlying machine operates, it's an inherently relative concept. Relative to the "binary output they have been studying for three years" C is indeed a high level language.

Is C so rare in Malware...

[cant_get_a_good_nick]

that you need to call it out?

With everything going modular these days, I'm sure there's a lot of hand written assembly exploit code that then pulls down modules likely written in C. Not that it's good or bad, just odd to call it out.

Re:Is C so rare in Malware...

[cant_get_a_good_nick]

Have you SEEN Kernighan and Ritchie? BEARDS i say

Terrorists.

High Quality Coding Work?

With paths like this embedded in the binaries, I'd question that statement:

c:\MyProjects\newplugs\lsass\release\lsass.pdb

High Level Editors Used to Create POS Blog Site

[xxxJonBoyxxx]

High Level Editors Used to Create POS Blog Site Called "SlashDot"

FTFY

Re:What's Unusual?

[SQLGuru]

I'd probably stick to thousands......there are some programmers out there that really aren't that skilled.....at least not in programming.....cut and paste, maybe.

It would be ironic

[Ukab+the+Great]

If the state of software engineering has arrived at the point that so many honest-work programmers are being forced to spend so much time writing quick and dirty garbage to get them past the next sprint that, in order to have a job writing good clean code, they have to go black hat.

Re:It would be ironic

[DigiShaman]

Regardless of the zeitgeist of how ruthless the IT industry intrinsically is, we're all held accountable to our own actions. If you go black hat, nothing *made* you do it. The correct response would be to find another occupation entirely; even if that means digging ditches.

Re:It would be ironic

[MarkvW]

Good luck trying to project that moral reasoning onto others.

Re:It would be ironic

[dilvish_the_damned]

Yes, Sartre, we are fully aware that we can always choose to kill ourselves.

Or less hyperbolistically, we can always choose a worse path, like spending another 4 years and the retirement savings to get schooled in a job that pays half as much. Anyone can do that. Show me a better choice.

I can only surmise that you were not speaking to the morality of the choice and by worse you mean less profitable, and by better you mean more profitable.

So as asked, this may be an option that does not require 4 years, a retirement account, and likely will pay better than half as much. You won't even be forced to write high grade malicious code. By some accounts this could be a better choice.

I don't know who makes these decisions for you, but they may force you to attend WGU depending on how much your making now. Or perhaps you make these choices yourself and this was just hyperbole?

Re:C != high level

Since it wasn't machine code or assembly language. Anything that needs a compiler is, by definition, a high-level language.

Interpreted languages and intermediary languages don't rank on this scale at all. They're far above the definition of high-level.

Seriously, doesn't anybody teach this stuff in Introduction to Computer Shit 101 anymore?

Re:What's Unusual?

[bjb_admin]

I have a name for them, Google search programmers.

Re:why is this news?

[Hognoxious]

I don't know, but earlier today they'd discovered that an old mechanical computer is in fact a mechanical computer and it's probably quite old.

Gun analogy

[Dareth]

C is a high level language, like a 9 mm handgun round is high velocity ammunition.

Re:Gun analogy

[ColdWetDog]

Sure, but they both hurt like hell when you shoot yourself in the foot with them.

Some people still contrast HLL with assembly

[tepples]

Until you find an emulator developer who complains that the emulator in a Nintendo product "is incredibly inefficient, written in HLL code, developed by somebody whom knew nothing about emulation nor about ARM nor about Z80/8080 processors." (This refers to C, as early C compilers targeting this product generated inefficient code.) Also a reset mechanism in Nintendo DS hardware "allows the NDS7 debugger to capture accidental jumps to address 0, that appears to be a common problem with HLL-programmers, asm-coders know that (and why) they should not jump to 0."

Re:Some people still contrast HLL with assembly

[angel'o'sphere]

there is nothing wrong in jumping to $0000 if there is code to execute ... no idea what you want to say with your assembly print outs on that web page, though.

Re:Some people still contrast HLL with assembly

[MountainLogic]

Who bothers with emulators? I just transcompile the GameBoy code by parsing the machine code into C and then compiling the parsed output on the target hwrdware with a native C complier. Much more efficient (10x) over emulators.

Redundant: POS Malware

[sconeu]

By definition, if it's malware, it's a POS. Even if it's written well.

Re:Redundant: POS Malware

[angel'o'sphere]

POS used to mean "point of sales", what does it mean now?

Re:Redundant: POS Malware

[sconeu]

Piece of Shit

Re:Redundant: POS Malware

And I dare say it's meant Piece of Shit for much longer than it meant Point of Sale.

Re:Redundant: POS Malware

[angel'o'sphere]

Ah, rofl, thanx.

Apparently It's A Non-story

Since this malware was such a POS, it did no damage.

Re:POS is for cows.

[ColdWetDog]

Do you mind going back to posting in the Federal Register where your comment makes some sense?

Re:What's Unusual?

[plover]

This new piece of malware shows sophistication of design, but that's not unheard of. Older malware was often customized by compile time switches and definitions; this just abstracts some of that away.

Many people (i.e. journalists and managers) think of malware authors as pimple-faced script kiddies hacking in their mothers' basements. They think that large, well-designed projects require teams of skilled developers who would only do so for a fat paycheck.

What's happened now is that vulnerabilities are so profitable that the threat landscape is no longer the exclusive domain of the single hacker - criminal gangs want a piece of it. They can afford to pay team salaries to engineer a solution.

And malware authors have learned to avoid the biggest risks of getting caught. In the old days a virus writer would also be the distributor. Modern authors get paid by selling their exploit code, along with customization and support contracts, to gangs of attackers. The attackers take on the risks, the developers collect fat checks. In some cases of vertical attacks (ATM skimmers for example), the "owner" of the malware uses cryptography to encrypt the skimmed data, preventing the low-level attackers from profiting from the stolen data. The profits go to the top first, and the paychecks cascade down (assuming honor among thieves.)

So what's newsworthy here is that they believe this malware to be further evidence of a new breed of well organized criminal software developers.

Sophisticated malware platform ..

[nickweller]

What Operating system does this sophisticated malware platform run on?

Re:Sophisticated malware platform ..

[AHuxley]

The idea seems to be hinted at in https://thestack.com/security/...
"even EMV/Chip-and-pin are unlikely to protect affected systems. In such cases, the report says ‘ModPOS and other malware with RAM scraping techniques can still gain access to card data. Criminals can then reuse card data, even from EMV cards, to make online (card-not-present) transactions.’"

Re:Sophisticated malware platform ..

[Dutch+Gun]

Given the use of .pdb files they mentioned, which is an MS-specific debug symbol format (as far as I know), it suggests the use of Visual Studio, and that in turn suggests the code is possibly targeting embedded Windows.

Just a guess, of course.

Re:Sophisticated malware platform ..

[nickweller]

You most probably guessed right, if it was OS X, Android or Linux it would be in the headline, instead of the weazly sounding POS malware.

Bad code in any language

[edtice1559]

Just shows that if you don't have the skills, code you write even in C# will still be a POS. Oh wait.

Re:I know there are no editors here, but...

[konohitowa]

No. In his English he is capable of comprehending the use of the indefinite article. Hint: it's not necessary in that particular instance. Apparently your an English has a different rules.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:What's Unusual?

[rtb61]

However standard practice for skilled computer criminals is to release their programs to script kiddies, so that the many script kiddie attacks will help to obfuscate a hide the organised crime attacks.

This would seem to indicate that programs that contain encrypted elements might well have to be banned as it will make much easier for security programs to simply block the installation of all programs that contain encrypted elements, that the user is blocked from checking with a security program.

Re:names are stripped

[phantomfive]

You can strip a lot of that stuff out, but you'd be surprised how many people don't bother. The function names for shared libraries won't be stripped out, though, and shared libraries get called a lot in typical software.

Pos?

[barbariccow]

Somebody coded another piece of shit malware?