POS Malware Uses Time-Stamp Check to Evade Detection

Point of sale (POS) attacks appear to have gained in popularity during the past year or so. We have seen major retail chains targeted by different strains of POS malware. Equipped with memory-scraping functionality, POS malware steals credit or debit card information from shoppers who use their cards for payments.

The following illustration shows the similarity of a recent variant we have captured against previous samples we’ve seen. The code has undergone minimal changes since its inception.


Black POS malware is one of the most prevalent POS families in the wild. Recently we noticed new variants of Black POS that exhibit no behavior when executed in a synthetic environment. This inactivity in a sandbox promptly captured our attention. This new variant of Black POS checks the system time on the infected machine against the hardcoded time stamp on the executable. (Malware has long used this technique to be active only during certain periods, while remaining dormant the rest of the time.)

This variant of Black POS was compiled with Borland C++. Next we see one sample’s main function, in which time is checked against a preset value.


Looking at the malware’s time stamp, Wed 14 Jan 2015 18:14:29 GMT, we see the malware is designed to exhibit its behavior for one month from the time it was compiled.

The key functions of this sample include memory dumping and enumerating modules loaded in process memory.



The sample also scans for credit card information in memory by employing a Perl Compatible Regular Expressions engine, as shown in the following image.


McAfee Advanced Threat Defense detects the samples involved in this attack. The sample is detected via static code analysis, the Family Classification module.



The post POS Malware Uses Time-Stamp Check to Evade Detection appeared first on McAfee.

Malicious user hides trojan links in cloned Steam Greenlight pages

A malicious user exploited the somewhat open submission structure of Steam's Greenlight section over the weekend to briefly hide malware links in cloned versions of legitimate game pages.

Polygon reports that a Steam user going by the handle bluebunny14 posted copies of pages for five games to the Steam's Greenlight section over the weekend. The cloned pages copied the text, screenshots, and videos of existing Greenlight games, including Melancholy Republic and The Maze, to look exactly like legitimate titles seeking attention in Steam's fan-voting area. But the cloned versions of the pages also included links to purported "beta version" links for the games that instead linked users to what Polygon calls "a known Trojan."

After being posted Sunday, the malicious links were reportedly removed by early Monday, and the cloned game pages themselves reportedly removed by Monday afternoon. "Community members alerted us of the situation over the weekend by flagging the content," said Valve's Doug Lombardi in a statement. "Our Community Moderators responded quickly by removing all malicious links from the fake Greenlight material and then we banned the submissions. We are taking further steps to deal with anyone involved in posting the links. We'd like to thank those who reported the issue in addition to our Community Moderators, and we encourage everyone to report any suspicious activity in the future by using the flag icon located throughout the Steam Community."

Read 4 remaining paragraphs | Comments

Installer Hijacking Vulnerability in Android Devices

Original release date: March 24, 2015

A vulnerability in Google's Android OS has been discovered that could allow an attacker to change or replace a seemingly safe Android application with malware during installation. An attacker exploiting this vulnerability could access and steal user data on compromised devices without user knowledge. Devices running Android version 4.4 or later are not vulnerable.

US-CERT advises users to ensure their devices are running an up-to-date version of Android and to use caution when installing software from third-party app stores.

This product is provided subject to this Notification and this Privacy & Use policy.

Twitch resets user passwords following breach

Twitch, the Amazon-owned game video streaming service, has reset passwords for all its users after warning of a security breach that may have allowed hackers to access user names, passwords, and other personal information.

According to a blog post Twitch published Monday evening, current passwords have been expired and users will be required to create a new one the next time they log in. Accounts have also been disconnected from Twitter and YouTube. As is standard practice, anyone who used the same password for multiple services should assume it's compromised and create a new and unique passcode for each property. Credit card data was not affected, the company said.

Monday's advisory provided few details. E-mails sent to users said hackers may have gained unauthorized access to Twitch usernames and associated e-mail addresses, encrypted passwords, the last IP address users logged in from, and—for users who provided such information—first and last names, phone numbers, addresses, and dates of birth. According to a report from Venturebeat, a separate e-mail sent only to select users provided an intriguing additional detail. "While we store passwords in a cryptographically protected form, we believe it's possible that your password could have been captured in clear text by malicious code when you logged into our site on March 3rd," it said.

Read 2 remaining paragraphs | Comments