A strain of point-of-sale malware that began making the rounds on underground markets late last month is easy to use, but less sophisticated than initial reports suggested.
According to researchers at Talos, Cisco’s research division, Pro PoS is mostly built on Alina, another type of POS malware which had its source code leaked earlier this year.
Reports from two weeks ago claim the malware boasts Tor support, rootkit functionalities, mechanisms to avoid antivirus, and a polymorphic engine, but Ben Baker and Earl Carter, two researchers with the firm, found few signs of any of those things.
Baker and Carter analyzed a sample of version 1.1.5b of Pro PoS and discovered that while the malware has support for Tor2Web, it doesn’t have support for Tor. The two didn’t find a polymorphic engine either. They did find a rootkit but note that it that it doesn’t even appear to be used by the malware.
Baker and Carter claim some techniques exhibited by the malware’s author suggest they weren’t looking to craft the most complex code. The two found a packer in the malware, but point out that that doesn’t contain any anti-analysis checks and might just be there for compression purposes.
“Given the simplicity of the packer and the fact that it even leaves some of the string in the binary unaltered, it is likely that the packer was meant to simply compress the binary, instead of trying to make the examination of the binary more complicated.”
A “minimalistic” rootkit associated with the malware fails to validate data before using it, and left the researchers scratching their heads as to whether the functionality was fully fleshed out. The control panel meanwhile doesn’t use PHP obfuscation, something that made reversing the network protocol “a breeze,” according to the two. The panel also contains a vulnerability that can lead to arbitrary PHP execution.
“Obviously security wasn’t a major concern when developing this malware,” Baker and Carter write.
The rest of the malware proceeds more or less as one would expect PoS malware to – it scrapes memory, separates the card’s number from the date, and verifies it can be used internationally.
While the malware may not be the most secure or sound PoS client, the fact that it’s simple to use, and circulating around some of the busiest shopping days of the year should cause some concern, Talos warned Thursday. While some functionalities of the malware may not be completely intact, the fact that they’re there at all suggests they could be modified down the line.
“Ease of use and access are the main selling points of [Pro PoS] – It’s basically an example of ‘commercialized’ malware. Pro PoS can be easily modified to expand its functionality. The malware is designed in a modular fashion so it’s easily extendable to add new modules, increasing the functionality of the malware.”
