Point of Sale (POS) Malware

Easy to Spot, Hard to Stop

Darian Lewis Sr. Threat Researcher

Managed Security ServicesSYMANTEC

2

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . .3

Evolving POS Malware . . . . . . . . . . . . . . . . . . . .3

Common POS Malware . . . . . . . . . . . . . . . . . . .4Alina . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6BlackPOS . . . . . . . . . . . . . . . . . . . . . . . . . . .6VSkimmer . . . . . . . . . . . . . . . . . . . . . . . . . . .7

Breaching the Perimeter . . . . . . . . . . . . . . . . . .8

Mitigation and Best Practices . . . . . . . . . . . . . .9

Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10

References . . . . . . . . . . . . . . . . . . . . . . . . . . . .11

Point of Sale (POS) Malware

SYMANTEC MSS3

IntroductionMost organizations worry that they will be the next company showing up on the evening news as the “worst data breach ever.” The real concern isn’t if you will be breached, but when will you be breached—and if you’ll know it happened before you read it in the press along with your customers.

The cost of the breach is far more than lost revenue that has to be recovered; the real loss is in customer trust and loyalty.

Mistakes made by people and systems are the main causes of data breach. Together, human errors and system problems account for 64 percent of data breaches.1

This whitepaper takes an in-depth look at:• The evolution of Point-Of-Sale (POS) malware • How attackers breach the organization• What should be done to mitigate breach losses• How to proactively detect POS malware

Evolving POS MalwareAlthough the first POS malware is still in use and effective, POS malware is still being written, and the oldest POS malware is getting new evasion technology updates.

A POS compromise normally happens when a Trojan or downloader malware gets on a system inside the organization. Not a tall order considering the number of new infections of Gameover Zeus, a peer-to-peer variant of the Zeus malware that has been around since 2007.

All it takes is an email with a poisoned attachment, a link to a drive-by download, a watering hole attack on a popular news site or even poisoning ads in a widely used, trusted ad network. Any network that can come in contact with the POS terminal network makes a perfect invasion point to deliver POS malware. Gameover Zeus, Bugat or Citadel is used to take over accounts, deliver key loggers and other malware to obtain even the best passwords and allow attackers to move laterally across the network. Lateral move-ment within the network, compromising hosts as they move, allows the attackers to achieve their end goal of access to POS terminals. The POS malware then does what it was designed to do—capture the track information from the magnetic stripe on credit and debit cards.

With the payment system encrypted nearly end-to-end, one may ask how criminals obtain the credit and debit card track information. They obtain the information when it is at its weakest point in the system, unencrypted in memory, scraping “the first step in the identity theft chain” from memory, the credit or debit card magnetic stripe track data. The track data is then re-encrypted and sent to the local transac-tion server or payment processor. The identity theft chain then continues with money drained from ac-counts; stolen card information sold online; and new credit cards, produced with inexpensive hardware obtained online, set up with the stolen information.

3

SYMANTEC MSS4

Common POS MalwareThe common goal of most POS malware is to locate, extract and exfiltrate stolen credit card information as quickly and covertly as possible. While some design details separate one variant from another, most malware can be identified easily. In order to illustrate the scope of the problem, below is a representa-tive list of some known POS malware and the AV signatures by which the malware will be detected using Symantec Antivirus:

• Alina (Infostealer.Alina) – Process memory dumper that looks for credit card information. Uses simple HTTP for data exfiltration and command and control (C2) purposes.

• Backoff (Trojan.Backoff) – Memory scraper and key logger, designed to extract credit card informa-tion. C2 accomplished via HTTP POST, while exfiltration via encrypted HTTP POST.

• BlackPOS (Infostealer.Reedum) – Credit card seeking memory scraper. Exfiltration of stolen data via FTP.

• BrutPOS (Trojan.Bruterdep) – Brute force of RDP to gain access to credit card information. C2 via HTTP POST and stolen data exfiltration via FTP.

• ChewBacca (Infostealer.Frysna) – Key logger and memory scraper seeking credit card numbers. Uses The Onion Router (TOR) for C2. Also known as FYSNA.

• Decebal (Infostealer.Decebal) – Memory scraping functionality looking for credit card information. C2 via HTTP POST. Basic stolen data encoding and upload via HTTP.

• Dexter (Infostealer.Dexter) – Memory dumper for specific POS software that seeks credit card infor-mation. Exfiltration and C2 accomplished via HTTP.

• GetMyPass (Infostealer.Getmypos) – Process dumper seeking credit card info. No exfiltration or C2 functionality; requires previously established control of infected system.

• JackPOS (Infostealer.Jackpos) – Memory scraper seeking credit card numbers. Exfiltration via base64 encoded HTTP POST and simple C2.

• LusyPOS (often detected as Infostealer.Dexter) – Credit card information memory scraper. Uses The Onion Router (TOR) for C2 and exfiltration.

• NewPoSThings (vendor write-up) – Memory scraper for credit card information and VNC password location. Encrypted data exfiltration and C2 accomplished via HTTP POST.

• RawPOS (Infostealer.Rawpos) – Memory scraper for credit card numbers in system processes.• Rdasrv (Infostealer.Posscrape) – Harvests credit card information from memory. Relies on existing

remote access for exfiltration.• Soraya (vendor write-up) – Memory scraper and HTTP form grabber seeks credit card data. Checks

in with hardcoded C2 server and exfiltrates every 5 minutes.• vSkimmer (Infostealer.Vskim) – Memory scraper looking for credit card numbers. Exfiltration and C2

accomplished via HTTP or USB.

4

SYMANTEC MSS5

Symantec Tracks Known Threats As They Evolve and Appear…

…While also Identifying and Nullifying the Increasing

Proliferation of New Threats.

2009 2010 2011 2012 2013 2014 2015

Malware Discovery Date

RawPOSObserved 2.10.13AV Detection: 2.18.14

RdasrvAV Detection: 6.6.14

BrutPosObserved 3.1.14AV Detection: 3.12.14

BlackPos v2Observed 8.29.14AV Detection: 12.19.13

JackPOSObserved 2.1.14AV Detection: 2.8.14

BackoffObserved 3.20.14AV Detection: 7.31.14

LusyPOSObserved 12.1.14AV Detection: 12.12.12

GetMyPassObserved 11.26.14AV Detection: 11.27.14

SorayaObserved 6.1.14AV Detection: 6.4.14

Alina(Kaptoxa)AV Detection: 2.10.13

DexterObserved: 12.11.13AV Detection: 12.12.12

vSkimmerObserved: 3.21.13AV Detection: 1.26.13

DecebalObserved: 1.3.114AV Detection: 9.11.14

NewPoSThingsObserved: 9.4.14

BlackPOS (Kaptoxa)AV Detection: 3.29.13

ChewBaccaObserved: 10.1.13AV Detection: 12.18.13

5

SYMANTEC MSS6

AlinaDozens of variants of Alina have been seen in the wild. Alina is an older malware, developed in early 2012 but still showing signs of active development. It contacts its C2 right after it is installed, and can be detected by looking for a missing parenthesis in the User-Agent string, a minor but noticeable pat-tern. There is also a response code of “666” to C2 HTTP responses where a normal “200” code would be returned. This return code is user-editable in the malware configuration, though, and may return a false positive detection if used alone. The good news—not many criminals who buy this malware bother to change it.

Like many of the malware families discussed in this whitepaper in additional detail, Alina searches run-ning processes for credit card Track 1 and Track 2 data, then uses HTTP to exfiltrate the stolen data and get updates to itself. Several of the C2 servers it communicates with are shared with the JackPOS mal-ware, linking them in a not yet fully understood way.

Researchers have reported a number of references to an active bitcoin wallet address.2 The wallet ad-dress has been active since August 2013, although it doesn’t appear to have been actively used during the lifetime of this malware.

BlackPOSBlackPOS malware attempts to steal the Track 1 or Track 2 formatted data that is stored on a credit card’s magnetic stripe, as most POS malware does. This information is then sent to another compromised server within the organization. This is done for evasion and because POS systems almost never have, nor should they have, direct Internet access. Once the data has been accumulated, it is exfiltrated to a C2 server, usually as a “forum post” receiver PHP application using RC4 encryption over HTTP. A commonly observed RC4 key of “B0tswanaRul3z” has been seen in many samples. The malware updates itself from this server as well.

Criminals make the malware as easy to use as possible, even building full-featured ad-min panels as shown in Figure 1 for BlackPOS.

Figure 1: BlackPOS admin panel (Source: Group I-B)3

6

SYMANTEC MSS7

VSkimmerVSkimmer has been around for some time, appearing to have been written in 2012 and discovered in March 2013, when advertised by criminals for sale on web forums. As with many POS malware fami-lies, VSkimmer looks for Track 2 formatted data matching a specific pattern in running processes in memory: ‘\;?[3-9]{1}[0-9]{12,19}[D=\u0061][0-9]{10-30}\?? ‘. This malware family uses HTTP to exfil-trate its stolen data and can be configured to copy data to a USB device with a pre-defined volume name if no Internet connection is available. The connections to its C2 are easy to see on the network in the form http://{ip address}/admin/api/process.php?xy= followed by a Base64 encoded string containing ‘|az|#.#.#|#.#.#|text|text|0’.

Just as with BlackPOS, vSkimmer has an easy-to-use command interface as shown in Figures 2 and 3. This keeps the barrier to entry for criminals low and invites criminals with less skill to still be successful at steal-ing credit and debit card information.

Figure 2: VSkimmer bot control panel (Source: McAfee)4

Figure 3: VSkimmer terminal browser (Source: McAfee)4

7

SYMANTEC MSS8

Breaching the PerimeterMalware that targets POS systems relies on many of the same highly effective infection vectors and tech-niques as typical generic malware. Many POS systems are based on widely available commercial operat-ing systems and standard hardware platforms thereby simplifying the development and distribution of POS malware. Easy-to-use interfaces and the ability to quickly purchase the malware online equals a low barrier to entry for criminals.

The following represent some of the most common infection vectors facing retailers using POS systems today:

Phishing Email – One of the most prevalent methods for malware distribution and attack orchestration facing individuals and businesses alike, phishing emails prey on the human factor to deliver excellent results for attackers. By offering an enticing lure, users are tricked into clicking a link or opening an at-tachment resulting in the compromise of the host computer. Even POS systems without Internet or email functionality are at risk of phishing compromise via proximity to more Internet accessible and infected desktop PCs and servers.

Remote Access Abuse – Another method of infiltration into the retail setting relies on the abuse of le-gitimate remote access services already in place. Many POS systems employ remote desktop and remote administrative solutions designed to simplify management. Default or weak credentials are often used by attackers to access POS systems, once discovered on an organization’s network. Such credentials can also be stolen from other infected machines or businesses, including the POS hardware vendors and contrac-tors employed by a retailer.

Unpatched or Outdated Software Exploitation – POS systems that aren’t regularly patched or are used beyond obsolescence pose a major risk of infection. Vulnerabilities and misconfigurations are routinely scanned by attackers, both directly from the Internet and from elsewhere in a compromised organiza-tion. Once discovered, such gaps are exploited to deliver malware to endpoint systems.

Once POS malware is delivered, rarely does it work alone and will be found in combination with exfiltra-tion malware. POS systems are rarely exposed to the Internet directly and criminals need help exfiltrating the stolen data. Expecting that two or more malware infections will occur simultaneously provides twice the opportunity to discover POS malware.

8

SYMANTEC MSS9

Mitigation and Best PracticesDefending against POS malware is a complex, multi-faceted process. Steps can be taken at almost every level of an organization to minimize the chances of initial infection, malware lateral spread and sensi-tive data exfiltration. The mitigation techniques below are a collection of best practices that will assist in securing a business against a POS malware infection and resulting breach.

Mitigation Techniques• Harden remote accessibility on POS systems – Proper credential management (implementation

of least privilege), disuse of factory default passwords on POS devices, general password complex-ity requirements, disabling of remote access services where possible and limitation of visibility to remote access interfaces/ports.

• Implement endpoint security software and secure configurations – Employ antivirus software and, where applicable, apply application whitelisting. This may catch known malware samples, stop sus-picious behavior and prevent unauthorized applications from executing on a POS system. Systems should also be configured in a manner appropriate for their roles, including the disabling of operat-ing system functionality not appropriate for a POS device (e.g., autorun, unapproved USB devices, startup/registry modifications, etc.).

• Train POS system users and limit activity – Systems responsible for the collection of customer financial data should be used only for the intended function; users of these systems should not have Internet access, the ability to read email or a way to execute downloaded programs. Corporate compliance requirements and information security policies should be strictly adhered to on POS systems.

• Ensure effective monitoring of all portions of the network – In the event of an attack or compromise, the ability to moni-tor the attack and provide quick incident response will limit sensitive data leakage. Including both POS systems and the surrounding infrastructure in monitoring is crucial.

• Employ proper network segmentation and filtering – POS system networks should be segregated from other por-tions of the network, with the intent to limit exposure to both the Internet and unrelated systems. Data loss prevention filtering may also prevent data from being exfiltrated from an organization.

• Comply with PCI requirements and security best practices – All customer financial data should be handled according to compliance standards. All sensitive data should be encrypted and sent securely between approved systems.

• Keep equipment and payment technology up to date – Obsolete and end-of-life POS equipment should be retired in favor of modern systems with vendor support (i.e., new payment technologies with ad-ditional security measures).

“A global Symantec study shows that a major-

ity of employees think it is ac-ceptable to transfer corporate

data outside the company and they never delete the data, leav-ing it vulnerable to data leaks. This illustrates the large extent to which insiders contribute to data breaches and how costly that

loss can be to organizations.”5

– Symantec Feb. 6, 2013

9

SYMANTEC MSS10

DetectionDetecting POS malware is accomplished in a similar way to detecting traditional malware on desktop and server systems. However, POS systems face unique challenges when it comes to available security tools. Securing computers and networks is usually accomplished with antivirus, perimeter security devices and monitoring teams. However, many POS systems don’t receive the same level of scrutiny, resulting in exploitation and eventual infection.

General Detection Mechanisms for POS Systems• Some endpoint antivirus software sensitive to suspicious applications and known malware samples

may prevent or complicate infection by an attacker. Such software may block and report this activity to a central security system.

• Network traffic monitoring may highlight brute force access attempts, remote access sessions, C2 communications and data exfiltration via anomaly detection. POS systems should be included in monitored network segments and protected by the same devices in place for more traditional systems.

Symantec ™ Cyber Security Services: Managed Security Services (MSS) Detection• Symantec consumes security intelligence on a wide variety of threats from numerous internal and

external locations, sensors and partners around the world. When new POS malware is discovered, detection is implemented quickly on both endpoint products and through the MSS service.

• All available indicators of compromise involving POS malware are implemented and alerted for all affected customers. In many cases, historical detects based on stored log data (up to 92 days) are performed to discover previously unknown malware activity.

• POS malware signatures released from vendors supported by Symantec MSS are automatically loaded into our system and used to generate incidents. Such detection varies by security device vendor, but is used as often as possible to enhance MSS coverage.

• All malware families listed in this report are represented in current MSS signature sets. They are updated constantly as new malware samples and attack infrastructure are discovered. As these malware variants and their creators evolve, both Symantec and other security vendors continuously release new indicators of compromise.

10

SYMANTEC MSS11

References

1Ponemon and Symantec Find Most Data Breaches Caused by Human and System Errors http://www.symantec.com/about/news/release/article.jsp?prid=20130605_01

2Into the Light of Day: Uncovering Ongoing and Historical Point of Sale Malware and Attack Campaigns http://pages.arbornetworks.com/rs/arbor/images/Uncovering_PoS_Malware.pdf

3Exclusive–Details on Investigation of Group-IB on New Age of POS Malware http://www.group-ib.com/index.php/o-kompanii/176-news/?view=article&id=716

4VSkimmer Botnet Targets Credit Card Payment Terminals http://blogs.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals

5Symantec Study Shows Employees Steal Corporate Data and Don’t Believe It’s Wrong http://www.symantec.com/about/news/release/article.jsp?prid=20130206_01

11

SYMANTEC Managed Security Services

About SymantecSymantec Corporation (NASDAQ: SYMC) is an information protection expert that helps people, businesses and governments seeking the freedom to unlock the opportunities technology brings – anytime, anywhere. Founded in April 1982, Symantec, a Fortune 500 company, operating one of the largest global data-intelligence networks, has provided leading security, backup and availability solutions for where vital information is stored, accessed and shared. The company’s more than 20,000 employees reside in more than 50 countries. Ninety-nine percent of Fortune 500 companies are Symantec customers. In fiscal 2014, it recorded revenues of $6.7 billion.

To learn more go to www.symantec.com/managed-security-services/ or connect with Symantec at: https://twitter.com/symantecmss.

Any technical information that is made available by Symantec Corporation is the copyrighted work of Symantec Corporation and is owned by Symantec Corporation.

NO WARRANTY. The technical information is being delivered to you as is and Symantec Corporation makes no warranty as to its accuracy or use. Any use of the technical documentation or the information contained herein is at the risk of the user. Documentation may include technical or other inaccuracies or typographical errors. Symantec reserves the right to make changes without prior notice.

For specific country offices and contact numbers, please visit our website.

Symantec World Headquarters 350 Ellis St.Mountain View, CA 94043 USA+1 (650) 527-80001 (800) 721-3934

Copyright © 2015 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, and the Checkmark Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

https://twitter.com/symantecmss

Visit our blog: http://www.symantec.com/connect/symantec-blogs/cyber-security-services