Friday 21 June 2013

Who's behind Alina ?

Alina got a strange update this night, a 5.2 sample that i monitor received an update order for a 5.7 version (75F936A2385D2F26336D6F7410FD80DA)
Nothing really new on this just..:

Of course i don't infect a machine just to monitor Alina activities, i've made a primitive program who run on my VPS.
The app just send POST requests to the C&C like Alina do and grab the response, i do that as well for several others malwares.
It's the best way i've found for the moment to monitors stuff without compromissing a vm just for one malware.
Fun fact: Alina have various feature but i've always see 'Update and 'Download exe' feature used.

Various trash logs from Visual Studio found on the sample:

Maybe it's time
But not 'just' for SpiderLabs, also check out these awesome articles they have do if you want to understand how Alina work:
Alina: Casting a Shadow on POS
Alina: Following The Shadow Part 1
Alina: Following The Shadow Part 2
Because my last post start to be outdated for the actual version pushed by Alina actor(s)
Now for the C&C a new one was made for this update:

Still on the same server various other Alina C&C are or was on it:
I observed that some was moved and back later due to update or to counter brute force attacks, i have no idea..

Alina is also in relation with Citadel, for example the domain got sinkholed.

But what's mean 'dpt' and why ?
Probably a shortcut to a carding guys know as deputat:
Oh, and deputat: Liberty Reserve is dead, you should update that (just saying)

Who run... a dump shop
I have no idea if grabbed track2 finish inside, but running a POS malware with a dump shop behind is always a good conbination if you feel unable to withdraw money (and it's less risky)

Why did he started to go public with this? i've still no idea, but there is several rumors about a Alina guys that he plan to sell this publicly (according to darkode pm)


11260 cards got grabbed but many duplicates just few are unique.
If you have read the part 2 of Spiderlabs, you see that Alina hooks itself to every process, that the reason of duplicates.


Logs of one POS:

Download/execute feature.

Show stats:
Update feature.

Show bins:
Why bins ?
Sometimes scrapping ram in research of track2 can produce random data, not credit cards.
A bin is the first 6 digits of a credit card, this export filter compare those bins to be sure it's a 'valid' credit card.
Most of POS malware who use the luhn algorithm have this problem: 00000000000000000 or 4444444444444444 who got grabbed because they are luhn valid.
a typical malware who do these false positive and probably the most know: mmon
Alina is one of the most advanced ram scrapper i've see for the moment.
Somone complaining about BlackPOS:

I've more details about why i think deputat is behind, just contact me.


  1. Advanced? Looks very primitive. Good work
    Which forum do you moderate?

  2. How did you enter to admin panel?

  3. Who is behing carberp

  4. and very primitive, needs to evolve
    I prefer botnets,
    finally the source code leaked carbep botkit darkod, the largest vazameneto of recent times, since the source code costs 40k and a lot of money, let's see what happens, will be that we will have a new botnet carbep in the next months? we will