More card-stealing malware found

Summary:RSA researchers found an operational Tor-based network collecting card data from point of sale (POS) systems in11 countries including the US.

Hot on the heels of the Target point of sale credit card breach, researchers at RSA have uncovered a botnet of credit card data-stealing malware running on point of sale systems.

The login screen for the ChewBacca C&C server

The actual bot code is called ChewBacca and was described in detail recently by Kaspersky Lab. As Kaspersky explains, ChewBacca communicates with it's C&C (Command and Control) server over the Tor network, obscuring the IP addresses of parties. According to RSA, this particular botnet has been collecting track 1 and 2 data of payment cards since October 25.

The ChewBacca bot steals data from systems in two ways: It has a keylogger and it scans memory dumps it creates for credit card data. It communicates this data over the Tor network to a C&C.

After execution, the bot creates a copy of itself named spoolsv.exe (to give the impression it is a spooler service) and puts that copy in the Windows Start->Startup folder so that it is loaded at login time. The program creates a log file named system.log in the %temp% folder. This file contains the keystroke events along with changes in Windows focus to indicate where the keystrokes were going.

Neither the RSA nor the Kaspersky descriptions explain how the ChewBacca bot is propagated. RSA has observed it mostly in the US, but also in Russia, Canada and Australia. They say that it has stolen payment card information from several dozen retailers around the world in a little more than two months.


Topics: Security


Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.