More card-stealing malware found

More card-stealing malware found

Summary: RSA researchers found an operational Tor-based network collecting card data from point of sale (POS) systems in11 countries including the US.

TOPICS: Security

Hot on the heels of the Target point of sale credit card breach, researchers at RSA have uncovered a botnet of credit card data-stealing malware running on point of sale systems.

The login screen for the ChewBacca C&C server

The actual bot code is called ChewBacca and was described in detail recently by Kaspersky Lab. As Kaspersky explains, ChewBacca communicates with it's C&C (Command and Control) server over the Tor network, obscuring the IP addresses of parties. According to RSA, this particular botnet has been collecting track 1 and 2 data of payment cards since October 25.

The ChewBacca bot steals data from systems in two ways: It has a keylogger and it scans memory dumps it creates for credit card data. It communicates this data over the Tor network to a C&C.

After execution, the bot creates a copy of itself named spoolsv.exe (to give the impression it is a spooler service) and puts that copy in the Windows Start->Startup folder so that it is loaded at login time. The program creates a log file named system.log in the %temp% folder. This file contains the keystroke events along with changes in Windows focus to indicate where the keystrokes were going.

Neither the RSA nor the Kaspersky descriptions explain how the ChewBacca bot is propagated. RSA has observed it mostly in the US, but also in Russia, Canada and Australia. They say that it has stolen payment card information from several dozen retailers around the world in a little more than two months.


Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Low hanging fruit

    POS running on Windows are most commonly targeted for exploits like this because it is easy.
    • you can say OLD windows

      POS running OLD windows OS is root cause.
    • URKiddinYourself

      They are most commonly targeted because they run the vast majority of POS systems

      There are a couple of Linux based ones, but I hear they're even worse, and just as easy to hacked, though not as widely used so you'd have to be lucky to stumble across one.