Security researchers recently announced the discovery of a new strain of malware, dubbed “Dexter,” which has infected hundreds of point-of-sale (POS) systems in the past few months. In a blog post identifying the malware, researchers from security firm Seculert noted that targets include major retailers, hotels and restaurants.
While many cybercrimal tactics targeting POS systems physically install skimmers, or, as The Register noted, use remote desktop exploits to grab screenshots of POS displays, Dexter takes a different approach. According to Seculert, Dexter steals the process list from an infected terminal and parses the memory dump of POS-specific software processes for Track 1 and Track 2 credit card data.
In a post on the Trustwave SpiderLabs blog, researcher Josh Grunzweig explained that the particularly unusual aspect of Dexter is that it has a command and control (C2) structure with a remote host. The malware communicates over HTTP via encoded POST requests, and it is set up to link to as many as seven different domains. According to researchers from Verizon, some samples also contain an IP address and path with a history of malicious activity. Additionally, of the seven hardcoded domains, six are associated with an IP address that is also used to host some domains for the Zeus and Vobfus malware. The seventh, according to Verizon, appears to be registered to a freelance coder in the Russian Federation.
Questions remain regarding not only the origins of Dexter but also how it is delivered. Seculert found that 51 percent of the targeted systems were running Windows XP. More than 30 percent were using Windows Servers, which is unusual for typical drive-by-download and web-based social engineering methods of infection, Seculert noted.
“Normally, this stuff is installed directly,” Trustwave research manager John Miller told the Ottawa Citizen. “It’s not something that will spread around the world like Code Red. We can’t say for certain what happened in the Dexter case.”
Miller added that outdated, unpatched operating systems or poor security practices could have contributed to the spread of Dexter. As curtailing the spread of Dexter remains an issue, payment processing technology vendors may want to evaluate their coding processes and look for ways to strengthen software security at the development level. By making use of tools such as source code analysis, programmers may be able to identify vulnerabilities in POS software and anticipate future attacks like Dexter.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.