But now i can talk, and there are some interesting things i want to mention about Alina and Dexter (both most popular PoS malwares for the moment).
Please note that my Dexter article is from this campaign.
First of all, i am in possession of a chat log, and i can certainly affirm that author of dexter (Dice) had Alina source, so its possible he coded them both.
The chat log is between dice and deputat (see my other article who's behind alina).
I previously made an article about Dexter, noticing how offline bot are using red color in both bots.
There are more similarities, online bots are green , download & execute, update bot, all are common in both Alina and Dexter.
Even the filter, to filter out the track2 from the logs is similar.
On this server, at first everything started from kernelmode.info i was looking to expand my ram scrappers collection.
So i've set some rules on various ram scrapper and i've found Alina like that.
Later i've found one server alive and found installed Citadel, Alina and Dexter, who was potentially dice's server.
Since both Alina and Dexter contain debug information.
And about the server... he come from "off-sho.re" i don't think i need to talk about his previous exploits.
We start to have some nice people here... :)
Latest Alina version, v6.x (even if there is no real change between the 5.x and 6.x) contains the following debug info : "C:\Users\dice\Desktop\src\grab\Debug\alina_dex.pdb"
Let's have a look on these Alina panels, here are the 'logs':
Now for Citadel, here are some screens of the C&Cs:
For a total of 27025807 reports and 35974 bots just for Citadel
Dexter v1 and v2: 8350 bots
Alina all versions: 2159 bots
And this without Pony and some other additionals crimeware such as Power Loader v2
These kits was here but not really used, so let's skip about them.
(folder /pnb/ for pony and /postnuke/ for PW)
The screenshots of my Power Loader v2 article come also from this server if you wonder.
Interesting also: the Citadel key used in these panels wasn't from the Citab builder.
And i've found myself as a botnet ID on one of these C&C (lol?).
John Doe 15 according to Microsoft:
As you can see, the panel inside the folder /armani/ have a Botnet ID 'POS' and many other relations with the operating botnets that Microsoft identified.
And for the PoS machines infected, they probably bought them on the black market.. no idea.
The citadel panels was well organised, each groups got different payloads in function of the country and machine.
Malware was various and downloaded from compromissed sites like:
These MD5 are know and was found on compromissed servers/used as citadel script:
A418410FA8B2617F3109DC289FA151C5 > Alina v5.5
CB625454CE2EE0F97E65D1F2DD06BC79 > Alina v5.5
57BEB794C8887EC7FCF1FDCEB246CDD5 > Dexter
8FC5D179B1D89C05617F6E296134C629 > Dexter
BB0B17C2F66A868CF1E8A46626366A32 > Dexter
For the Botnet ID 'xyl' only two bots was inside, and i wasn't one of them :)
Nowaday a small amount of bots are still calling the sinkholes, almost all infected systems call with 'Alina' referrers.
Citadel webinjects was targeting BMO (Bank of Montreal) and even some corporates specialized in Point-Of-Sales like Moneris.
How this campaign ended ?
The bad guys behind have put the emergency brake when Microsoft released the lawsuit against Citadel users (botnetlegalnotice.com)Domains of Alina got sinkholed, and the server who was accesible from IP have gone few weeks after. (box got formatted)
And no more new citadel build related to this login key, new Alina infection appeared after that.
Dexter and Alina package was found for sale months after probably to erase traces.
It's also for that these day we can see some new Dexter and Alina activities, people are reselling it.
For Dexter, the last botnet i've spotted was hosted on 184.108.40.206
The C&C files was exactly the same as the Alina+Dexter+Citadel campaign.
By exactly the same i mean some 'test files' totaly unrelated to Dexter that i've found on the old campaign was also present in this server.
Made me think that bad guys have sold the content of the server in speed.
Here are some screenshots, the version used here is also 'StarDust' (like in the campaign):
Some panels was very interesting like this one, who have a version 'Millenium':
Computer name: DIEBOLD-B79E854
This machine have dumps obviously:
There is also weird process running according to the logs...
Did they infected an ATM ? seem.
Installing a VNC backdoor:
The machine is running a process of ATMeye.iQ.
From what i've see, it's a video/fraud surveillance system for ATM.
The bad guys uploaded/deleted some stuff via ftp:
Trying to shutdown the ATM after erasing traces ?
/base1/ use the same db as /b2/:
The guys have downloaded and uploaded on these infected machines several files like passwords cracker, networks scanner, and cards scanner.
Want some math too for this Dexter panel ?
21138 Credit Card Dumps stolen.
From the server, a zbot panel was also here according to the sql db but empty: no reports, no bots.
Crazy stuff anyway, how did they managed to get inside these PoS ?
And the answer is...: weak VNC/RDP passwords as usual.
For the Diebold ATM i've still no idea, i've scanned the IP but no remote service are open.
I've brute forced those infected systems to retrieve myself the malware, here are some hashs:
If Visa warn almost everytime merchants in their "data security bulletins" about weak passwords there is a reason.
You are looking for a Dexter decoder ? it's the good place.
That was for Dexter, now about Alina yes they still use it and even more clumsily like for Dexter people try to sell it.
Alina 5.3 source code:
Track2 scanner proc in Alina:
This Alina + Dexter + Citadel was probably disastrous for alot of people, i even received mails from merchants who told me that they got infected and this when the campaign was still running.
Combining the cream of RAM Scrapers with banking trojans can make a lot of damage.
Microsoft reacted with a good timing and have destroyed a lot of campaigns.