Researchers Find New Pos Malware Written in VBScript

The malware can read card data from the memory of point-of-sale systems, a technique increasingly used by cybercriminals

By Lucian Constantin
Fri, January 17, 2014

IDG News Service — In the wake of a large-scale attack on point-of-sale (PoS) systems at retailer Target, new malware designed to steal payment card data from the sales systems was released earlier this month.

Security researchers from cybercrime intelligence firm IntelCrawler identified a PoS RAM (random access memory) scraping program dubbed Decebal that they believe was released on Jan. 3. The release shows that cybercriminals are increasingly interested in launching this type of attack.

The malware is written in VBScript (Visual Basic Scripting) in less than 400 lines of code. Despite looking fairly unsophisticated it can grab track 2 data -- data encrypted on the magnetic stripe of credit or debit cards -- from PoS memory and even contains routines to evade malware analysis tools, like antivirus sandboxes and virtual machines.

The use of a scripting language to create malware is not unusual in general, but is highly uncommon for this particular type of threat. Andrey Komarov, the CEO of IntelCrawler, said that this is the first time he's seen PoS malware written in VBScript.

Using this language does provide some benefits, like portability, as it works by default in all Windows versions since Windows 98 and doesn't require a separate interpreter. Many PoS systems run a version of Windows Embedded.

VBScript is also commonly used by Windows system administrators to automate different tasks and can be called by other scripts and programs, which could make this particular malware inconspicuous, Komarov said.

Decebal sends the stolen card data to a command-and-control server, particularly to a single 44-line PHP script running on a Web server that sorts the information and stores it.

Various text strings found in the malware code suggest its authors are likely Romanian, the IntelCrawler researchers said in a blog post. The name chosen by its creators also points in this direction, Decebal being the Romanian name of Dacian king Decebalus, an important figure in Romanian history.

Bogdan Botezatu, a senior e-threat analyst at Romanian antivirus firm Bitdefender, agreed with IntelCrawler's assessment of the malware's origins. "Most of the strings, functions and variable names are clearly Romanian words so chances are that the malware has been written by a Romanian citizen," he said Friday via email.

There were at least four separate strains of PoS RAM scraping malware developed in the past year, Botezatu said. "This shows a pattern, and we expect that cybercriminals will continue to use them as long as they work."

The Target data breach, which resulted in the compromise of 40 million credit and debit cards, involved malware being installed on PoS terminals. A separate credit card breach was confirmed last week at high-end retailer Neiman Marcus and there are reports of other, as yet undisclosed, retailers being compromised in a similar way.

Continue Reading

Our Commenting Policies