How it operates:
- It scans the process list of an infected system and looks for Point-Of-Sale software.
- It scans the memory segments of the POS software and pulls out the credit card data.
- Communicates data back to a C&C server.
- Looks like its targets Windows systems, including Window Server systems.
- 50% of the infected systems are Windows XP
- Most targets are in western countries.
- How a system gets infected is still unknown.
SpiderLabs has a great analysis of how the C&C communication actually works. The credit card data and other information is base-64 encoded and XOR encrypted and sent to the C&C server. It looks like there are several domain names involved as the C&C servers. The server sends back instructions, again base-64 encoded and XOR encrypted, in a cookie.
Volatile Labs had a list of domain names that the program uses. They're just .com names of random jibberish, and they can probably change frequently. But look out for domains like this going through your firewall:
- 11e2540739d7fbea1ab8f9aa7a107648.com
- 7186343a80c6fa32811804d23765cda4.com
- e7dce8e4671f8f03a040d08bb08ec07a.com
- e7bc2d0fceee1bdfd691a80c783173b4.com
- 815ad1c058df1b7ba9c0998e2aa8a7b4.com
- 67b3dba8bc6778101892eb77249db32e.com
- fabcaa97871555b68aa095335975e613.com
Here are the original Seculert posting and some additional research from Trustwave SpiderLabs and Volatile Labs.
No comments:
Post a Comment