Friday, 25 January 2013

vSkimmer, Another POS malware

When i've view this post, content was already removed and member Banned.

vSkimmer - Virtual Skimmer

Functions:
- Track 2 grabber
- HTTP Loader (Download & Execute)
- Update bot itself

Working Modes:
- Online: If internet is reachable it will try to bypass firewalls and communicate to a the control panel.
- Offline: If internet is not reachable it wait for a specific pendrive/flashdrive plugged in and copy logs to it.

Server coded in PHP (can be modified on request to send logs to remote server, via smtp, etc.. )
Client coded in C++ no dependencies, 66kb, cryptable. (can be customized)


The malware check the presence of debugger:

Get PC details (OS,Computer name, GUID for identify you in the POS botnet, etc..)

Check if the file is executed from %APPDATA% if not add registry persistence, firewall rule, make a copy and execute the copy:

Detail of the registry persistence:

Firewall rule to allow the malware:

Create a mutex, thread and get host information:

Check for process:

Some are whitlisted: "System", smss.exe, csrss.exe, winlogon.exe, services.exe, lsass.exe, svchost.exe, spoolsv.exe, wscntfy.exe, alg.exe, mscorsvw.exe, ctfmon.exe, explorer.exe:

And when finally a process is found:

Read the process and search for pattern:

If nothing found:

Get infos, Base64 and call the gate via GET request:

Answer:
• dns: 1 ›› ip: 31.31.196.44 - adresse: WWW.POSTERMINALWORLD.LA

Parse the answer:

Answer is reduced to first 3 letters and compared with 'dlx' (Download & Execute) and 'upd' (Update) if one of these are found that mean the bad guys send us an order.

For example dlx:

Order is executed and a response is send to the server:

The part i love with pos malware:

Or just a simple ";1234567891234567=12345678912345678900?" in a txt but it's more gangsta to swipe a card.
So the algo detect the pattern, the track2 is encoded to base64

 And sent to the panel:

Now for the offline mode, get drive:

The flash drive must be named "KARTOXA007" (dumps in russian)


Create dmpz.log:

Now let's have a look on the panel:

POS Terminals:

Dump download:

Commands:

Settings:

Dumped.. :)

Sample:
https://www.virustotal.com/file/bb12fc4943857d8b8df1ea67eecc60a8791257ac3be12ae44634ee559da91bc0/analysis/1358237597/
Unpack:
https://www.virustotal.com/file/4fba64ad3a7e1daf8ca2d65c3f9b03a49083b7af339b995422c01a1a96532ca3/analysis/1358238314/
Thanks Zora for the sample :)

12 comments:

  1. what forum is shown in this post?

    ReplyDelete
  2. I want to make money too :) but i don't know how :( and what way to choose

    ReplyDelete
  3. Get a real job. :)

    ReplyDelete
  4. Congrants Xyli or Zora and company!

    Now we know kaddafi.me and his shit forum lampeduza is a more likely a sting. Have much fun, just tell this guys how you got it, because you didn't hacked anything. That was easy man, you were right, Dumped vpos_good.7z he he, Anyway sent you old stripped version and bugged.

    I'm luving it, learning new things are always appreciated.
    Much love to mossad or whoever you are... later

    ReplyDelete
    Replies
    1. not my fault if you are stupid enought to get fooled by a scammer.
      btw he didn't give me it, Zora get the bin and i remounted from posterminal.la with a tar.gz on it and several other vuln but i'm not here to talk about how i got the (lame) package.

      Delete
  5. has a forum where a Russian underground carder sellers s vskimmer this, it installs and makes the entire process, price to match, I found it very interesting because he and installed on a terminal POS.

    ReplyDelete
  6. This honestly was very upsetting and not impressive at all, im sure we all expected better-perhaps the next piece of malware relating to POS will actually be worth even looking into in greater detail lol.

    ReplyDelete
  7. yup Zora, claiming to be better than Dexter but i've not see where it's better.

    ReplyDelete
  8. Is this botnet (vSkimmer) Have Functions
    Grabber PIN CARD ??????

    ReplyDelete
    Replies
    1. This POS software can't grab PINS if I remember correctly.

      Delete
    2. "Or just a simple ";1234567891234567=12345678912345678900?" in a txt but it's more gangsta to swipe a card."

      Haha, this made me laugh. Good work Xyli! :)

      Delete
    3. you can get PIN CARD hacking security cam system /m/

      Delete