Dexter malware’s source still unknown, connection to Zeus disputed

The Dexter malware is not a serial killer, like in the Showtime drama of the same name, but it amounts to a serial cyber Grinch, stealing Christmas from possibly tens of thousands of people through making it possible for criminals to clone their credit cards.

How it attacks, how much damage it has done, where it came from, and whether those behind it are connected to the Zeus malware are still either unknown or matters of debate among analysts.

Seculert, the threat detection firm that discovered and named the custom malware that infects point-of-sale (POS) systems like electronic cash registers, kiosks and automatic teller machines (ATMs) instead of individual end-user devices, has no estimate on how many credit cards have been compromised.

But a blog post on the company’s website said Dexter had been in use for the past two to three months and had infected hundreds of POS systems in 40 countries, with 61% of the systems infected in North America and the U.K.

Seculert CTO Aviv Raff said the number of infected systems, belonging to enterprises ranging from major retailers to hotels, restaurants and even private parking providers means that “probably tens of thousands of people” have been victims.

The POS malware is becoming much more popular for online theft for a simple reason: it offers more bucks for the bang. As The Security Ledger put it, “more and more malicious programs are ascribing to the Willie Sutton philosophy of online theft: you infect POS systems because ‘that’s where the money is,’ or — at least — the data that you need to get the money.”

The Dexter malware is a so-called “memory scraper” that searches for Track 1 and Track 2 data, which includes a cardholder’s name, account number, encrypted PIN and other discretionary data — enough to clone the card and use it to make fraudulent purchases.

Raff said how Dexter gains access to systems is still not known. He said Seculert is “a detection company,” and does not do that kind of forensics, although the company partners with others that do.

[See also: Is it really Zeus vs. Anonymous?]

But he said 30% of the infected systems are servers and “it’s unusual for servers to get infected using regular methods, mainly because they aren’t being used by people to surf the Web.”

“There can be many ways,” he said. “It could be by attacking other machines on the same network. Or there might be a remote desktop open, and people can try to log in from there.”

Roger Thompson, chief emerging threat researcher at ICSA Labs, said there is no way to tell for sure. “It’s the computer equivalent of the needle in the haystack,” he said. “Even if you’re lucky enough to find the needle, there is simply no record of the path it took to get in.”

Raff said some of the compromised companies have been notified, but Seculert would not name them publicly. “This is a privacy issue,” he said, adding that if end users are concerned that their card may have been compromised, they should contact the vendor.

He said the best way for vendors to defeat Dexter is to make sure their POS systems are using encryption. “[Dexter] is checking memory, and if the device uses encryption, it would not be able to crack it,” he said.

Thompson said all credit card users should monitor their bank accounts and credit cards accounts daily.

There is some debate over where Dexter is coming from and what individuals or groups might be behind it. Keith Gilbert reports at the Verizon Security Blog that an analysis showed that the IP address hosting the Dexter domains “also happens to host some Zeus related domains and several domains for Vobfus, A.K.A. the porn worm,’ which has picked up steam recently and is known to deliver Zeus in some instances.” He also notes that Dexter exhibited some of the same behavioral characteristics as Zeus.

Gilbert wrote that the Verizon team also found a freelancer with the username “hgfrfv” in the Russian Federation, and also found the email address mark.jacobs@live.com as a contact.

Verizon also doesn’t know how the malware is being delivered, “though our experiences suggests that servers aren’t immune from drive-by exploits or phishing emails,” Gilbert wrote.

Raff said Seculert is not persuaded that there is a connection to Zeus. “We looked at their blog and the way they tried to connect it to Zeus,” he said. “We can do the same thing and find similarities to other families of malware. This is not hard evidence in our view.”

So who is to blame? Raff said Seculert does not try to “find the adversary,” but added that several partners are working on it and have come up with names, however, they are different from those posted by the Verizon team.

“We can’t disclose the names,” he said. “But we can say that they are fluent in English.”