Malware used in Target attack publicized
After US retailer Target has confirmed that a malware infection on its Point of Sale (POS) terminals played a key role in the data breach affecting more than 110 million customers, security writer Brian Krebs has published details on the malware used in the attack.
The attackers managed to place an information stealing Trojan, known as Infostealer.Reedum.B on Target's POS terminals. This malware is capable of capturing data that is briefly stored in the memory of the POS device. The information it steals includes the card’s magnetic swipe data, which can potentially allow attackers to print cloned copies of the cards.
Target has yet to publicly comment on how the attackers breached its security to install the malware on POS terminals. However Krebs reported that sources close to the retailer said that the attackers had compromised a company Web server and used that as their point of access. They then established a control server inside Target’s network, which acted as a dump for the stolen information. The attackers logged in at regular intervals to download stolen data.
Symantec can confirm that the malware used in the attack on target was Infostealer.Reedum.B and protection is in place for the threat.
Reedum is just one of a number of pieces of malware that target Point of Sale terminals. Others include:
• Infostealer.Dexter: This Trojan steals system information from infected terminals. It targets login details, the computer name, the operating system, details on system uptime and running processes. It also attempts to collect personal information from system memory files.
• Infostealer.Alina: This Trojan disguises itself as commonly used applications, such as Adobe Flash, Java or the Windows Firewall. It collects information about the terminal it has infected, including the computer name, the path of the threat, the system volume and serial number and the version of the threat. It also enumerates running processes on the infected machine. All of this data is then transmitted to a remote location. This Trojan is also capable of downloading updates for itself when necessary.
• Infostealer.Vskim: Another Trojan designed to steal information from a compromised terminal, this threat disguises itself as svchost.exe, a standard Windows system process. It attempts to bypass the Windows Firewall by creating a registry entry to exempt it from scrutiny. The information it steals includes system locale, the computer name, the user name, the Windows version and information from the registry. This data is then sent to a remote location.