This blog has been updated with McAfee’s NSP detection. See end of blog.

While monitoring a Russian underground forum recently, we came across a discussion about a Trojan for sale that can steal credit card information from machines running Windows for financial transactions and credit card payments. The malware, vSkimmer, can detect the card readers, grab all the information from the Windows machines attached to these readers, and send that data to a control server. The author of the thread also discusses other capabilities of this malware, which appears to be a successor of Dexter, but with additional functions.

We already know about botnets such as Zeus and SpyEye, which perform financial fraud using extremely sophisticated techniques including  intercepting the victims’ banking transactions. VSkimmer  is another example of how financial fraud is actively evolving and how financial Trojans are developed and passed around in the underground community. This botnet is particularly interesting because it directly targets card-payment terminals running Windows.

Our Automated Botnet Replication Framework first saw this Trojan on January 18. We’ve analyzed  samples of this malware and figured out how it steals the credit card information and its additional control functionalities. While performing the API tracing , we found it uses fairly standard antidebugging techniques:

The malware collects the following information from the infected machine and sends it to the control server:

• Machine GUID from the Registry
• Locale info
• Username
• Hostname
• OS version

This malware uses a standard installation mechanism and copies itself as svchost.exe into %APPDATA% , modifies the registry key to add itself under the authorized list of apps, and runs ShellExecute to launch the process. One function of vSkimmer if the Internet is not available is to wait for a USB device with the volume name KARTOXA007  to be connected to the infected machine and to copy all the logs with the file name dumz.log and the card info collected from the victim to the USB drive.

I checked by disconnecting from the Internet: The malware enumerated all the drives and created the file dumz.log in the drive with the preceding name.

Extracting credit card information

VSkimmer maintains the whitelisted process, which it skips while enumerating the running processes on the infected machine.

Once vSkimmer finds any running process not in the whitelist, it runs OpenProcess and ReadProcessMemory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the whitelist.

VSkimmer control

Before communicating with the control server, the malware B64-encodes all the machine information collected and appends it to the URI. The encoded string follow this format:

• machine guid|build_id|bot_version|Windows_version|Host_name|User_Name

Next, vSkimmer creates the HTTP request and connects to the control server:

While this malware ran, we saw the following response. Note that the commands are within the <cmd> </cmd> tag.

Once vSkimmer receives a response from the server, it executes the following routine to parse the command:

Because the response from the server during execution was <cmd>null</cmd>, the malware extracts the 3-byte command and tries to match it with the other commands implemented by vSkimmer. First it checks if the command from the server is “dlx.”

If not, then vSkimmer checks for the “upd” command. These commands implement the HTTP download and execute (“dlx”) and update of the bot (“upd”), respectively.

As we saw earlier in this post, vSkimmer can also grab the Track 2 data stored on the magnetic strip of the credit cards. This track stores all the card information including the card number. (You can read more about the Track 2 data format on Wikipedia. The chief information:

• Primary Account Number: the number printed on the front of the card
• Expiration Date
• Service Code: the three-digit number

VSkimmer bot control panel

Here’s a look at the control panel of the command server:

UPDATE

McAfee NSP detection:

Attack ID: 0x4880a600
Attack Name: BOT: VSkimmer Traffic Detected
Sigset: Intrushield Network Security Signature Set 7.5.34.10

Recently, a highly infectious computer worm coined W32/Autorun was discovered infecting Windows computers. What makes a worm like W32/Autorun unique is that unlike a true virus, a worm doesn’t actually steal something from your computer. Instead, it’s designed to spread rapidly and open as many security holes as possible–ultimately allowing hackers to download a different form of malware (possibly a virus or a Trojan that targets your financial records) that will steal information, money, or both.

How the Worm Spreads

The W32/Autorun worm spreads through physical contact. In your computer’s case, this means connecting an infected flash drive, logging into a shared Internet connection, or plugging into a shared external hard drive. Once the worm infects a new computer through a shared connection or device, it replicates itself multiple times and looks for more ways to spread. 

There are 2 key ways that W32/Autorun gets past your computer’s defenses:

1.    Windows AutoRun: An Automatic In

W32/AutoRun takes advantage of Microsoft’s AutoRun feature. While this feature was not included in Windows 8 for security reasons just like this, it still exists on many older machines that haven’t been updated in a while.  When you plug a device into an older Windows computer that does have AutoRun, a dialog box pops up asking if you want to automatically run whatever is on the device. As you can imagine, this capability is a huge risk from a security perspective. Unsuspecting users click “run” only to find that they’ve authorized the W32/Autorun worm.

2.    Fake Folders Lure Victims In

For users who don’t have AutoRun enabled, like those using Windows 8, W32/Autorun disguises itself as interesting files and folders to trick you into downloading the worm. For example, W32/Autofun often creates imposter files with names like “porn” and “sexy” in infected flash drives or shared Internet connections to lure potential clicks. Once you click on the file to open it, it’s exactly like prompting AutoRun–the file is executed, and your computer is infected.

To ensure full impact, the worm can also change your computer’s settings to allow it to run every time you boot up. Some variants of the worm even disable Windows updates to prevent the system from downloading security patches. This process ensures that the worm can do its job: infect every device your computer comes into contact with and open the door for any virus a hacker wants to install at your expense.

How to Prevent a W32/Autorun Infection

1.    Disable AutoRun

If your computer is still prompting you to automatically run applications whenever you insert a CD, log into a new Internet connection, or plug in a flash drive, update your computer as soon as possible. Visit the Microsoft website to learn how to disable AutoRun for your specific version of Windows. To disable AutoRun independently of software updates, the easiest way is to download a free utility like Disable AutoRun.

2.    Beware of Shared Removable Devices

Remember: this worm is highly infectious. If you share a flash drive with a friend whose computer is infected, that flash drive can carry the worm back to your computer. If you do need to share a device, make sure AutoRun is disabled when you plug it back in, and check that your security protection has the capability to scan new drives to prevent you from clicking on infected files.

Reliable Anti-Virus: What to Do When You’re Already Infected

While my first two tips focus on prevention, a reliable security solution will not only prevent a W32/Autorun infection, but also remove it from your computer.  Solutions like McAfee All Access will catch the W32/Autorun worm bug and others like it, preventing you from accidentally spreading it to friends and family. If you already have a McAfee solution installed, visit our website for details on how to download the latest fix for the W32/Autorun worm.

For more on this topic and other emerging security threats, follow us on Twitter at @McAfeeConsumer.

A recent survey shows that 44% of Americans use smartphones to access the Internet, and 75% say they access the Internet more frequently on their device today than they did one year ago.

Digital research firm comScore found that close to 32.5 million Americans accessed banking information via mobile device at the end of the second quarter of 2011, a 21% increase from in the fourth quarter of 2010. Approximately 24% of consumers store computer or banking passwords on their mobile devices, according to Consumer Reports’ 2011 State of the Net Survey. More than half of smartphone users do not use any password protection to prevent unauthorized device access. And according to Gartner, 113 mobile phones are lost every minute in the U.S. alone.

With unit sales of smartphones and tablets eclipsing those of desktop and laptop PCs, cybercriminals will continue setting their sights on mobile, and increased mobile Internet use will continue exacerbating security and data breach issues.

Protect yourself:

• Use mobile security software and keep it current. Having complete mobile security protection like that offered in McAfee Mobile Security is a primary safety and security measure.
• Automate software updates. Many software programs will automatically connect and update to defend against known risks. Turn on automatic updates if that’s an available option.
• Protect all devices that connect to the Internet. Along with computers, smartphones, gaming systems, and other web-enabled devices also need protection from viruses and malware.

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

According to a recent Nielsen report, a majority of smartphone owners (62%) have downloaded one of the more than 1 million apps available for Android and iOS devices. However, this surge in growth is accompanied by the potential for malicious apps to damage or threaten mobile security.

McAfee Mobile Security. Use it or Lose it!

To protect yourself and your stuff, it’s time to download and install McAfee Mobile Security 2.0. This latest generation includes:

• Complete Anti-virus, Anti-spyware and Anti-phishing Protection: Scans and cleans malicious code from files, memory cards, applications, Internet downloads and text messages.
• Protection from Potentially Unwanted Programs (PUPs): McAfee is the first to protect you from applications that include spyware, adware and dialers, despite the fact that these programs may have been downloaded in conjunction with a program that you want.
• Web Protection: McAfee SiteAdvisor^® protects you from web threats by blocking risky links within text messages, email and social networking sites. It also safeguards against potential phishing sites, browser exploits and malicious quick response (QR) codes.
• Device Lock: Prevents misuse of your mobile device and personal data by remotely locking all data, including the data on the memory (SIM) card, and displaying a “contact me” message on the device.
• Remote Data Wipe: Protects your privacy by allowing you to remotely deleting the data on your phone and removable memory card. It can also backup data before the remote wipe to prevent the loss of data on your device.
• Backup and Restore Data: Preserves your irreplaceable personal information on demand, on a schedule, or before wiping a missing smartphone or tablet, then restores information to your new device.
• Locate and Track: Helps you to recover your smartphone or tablet if it is lost or stolen. You can view your device’s location on a map, send a text to prompt its return, and use a remote alarm to make it “scream.”
• App Protection: McAfee App Alert for Android helps you keep your private data private by interpreting how apps are accessing and possibly transmitting your personal data.
• Call and Text Filtering: Easily filters out spammers, incorrect numbers and unwanted texts.
• Online Management: McAfee’s web portal lets you quickly execute needed security tasks, such as backup, restore, locate, and remote lock and wipe.
• Uninstall Protection: Prevents a thief or another user from bypassing the mobile protection that is installed on your smartphone or tablet.

For more information or to download a trial, go to https://www.mcafeemobilesecurity.com/download.aspx

Robert Siciliano is an Online Security Evangelist to McAfee. See him discussing identity theft on YouTube. (Disclosures)

A further threat is cross-platform malware that can execute on Windows and Mac using Java; this type of malware can run in a multiplatform Java Virtual Machine. IncognitoRAT is one example of a Java-based Trojan discovered in the wild that is being downloaded and installed by another component. This malware behaves like other Windows botnets but uses source code and libraries that can operate on other platforms.

The original propagation vector of IncognitoRAT is a Windows executable, but apparently it was created using the tool JarToExe, which includes, among other features, the ability to convert .jar files into .exe files, to add program icons and version information, and protect and encrypt Java programs. The victim’s machine has to have the Java Runtime Environment installed and must be online. As soon as the file is executed, it starts downloading a ZIP file with a pack of Java-based libraries to perform several remote activities:

• Java Registry Wrapper: Used to access the Windows Registry and create an entry in Software\Microsoft\Windows\CurrentVersion\Run to execute the malware every time the computer starts
• Java Remote Control: To view and take remote control (keyboard and mouse) of an infected machine
• JLayer – MP3 Library: To remotely play an MP3 file on the infected machine
• RNP-VideoPlayer: To play videos remotely
• JavaMail: Optional Java package to send stolen information to an email account
• Freedom for Media Java: Open-source alternative to the official Java Media Framework; used by the malware to watch and record images from a remote webcam

In additional to those libraries, the downloader drops the following .jar components:

• JavaUpdater.jar: Decrypts the directory (full path) that will be created by the malware to place all the components on the infected machine. It implements TripleDES encryption and decryption methods. Finally, the component executes the principal malware, server.jar, using the common instructions to run Java applications in Windows (java -jar %malwarepath%/Server.jar).
• Server.jar: Runs in the background collecting keystrokes using a DLL designed to hook the keyboard on the infected machine. Also waits for commands sent from the control server to use the libraries described above and perform other actions, such as sending the captured keystrokes in a text file to an FTP server or an email account, viewing and recording the remote webcam, performing distributed denial –of-service attacks, taking remote control of the machine, etc.

One interesting feature of this botnet that we could not replicate during our analysis is its ability to “crash” the system. Apparently, it is a fake crash because in the dropped files we found a curious image that may appear on the infected machine:

According to public information, this malicious code is available for Windows, Mac OS X, and iPhone/iPad (the last only to control infected computers). However, we’ve seen only the PC version in a downloader/dropper in the wild. McAfee products detect this malware in our latest DATs as JV/IncognitoRAT.