Dexter malware's source still unknown, connection to Zeus disputed

The Dexter malware is not a serial killer, like in the Showtime drama of the same name, but it amounts to a serial cyber Grinch, stealing Christmas from possibly tens of thousands of people through making it possible for criminals to clone their credit cards.

How it attacks, how much damage it has done, where it came from, and whether those behind it are connected to the Zeus malware are still either unknown or matters of debate among analysts.

Seculert, the threat detection firm that discovered and named the custom malware that infects point-of-sale (POS) systems like electronic cash registers, kiosks and automatic teller machines (ATMs) instead of individual end-user devices, has no estimate on how many credit cards have been compromised.

But a blog post on the company's website said Dexter had been in use for the past two to three months and had infected hundreds of POS systems in 40 countries, with 61% of the systems infected in North America and the U.K.

Seculert CTO Aviv Raff said the number of infected systems, belonging to enterprises ranging from major retailers to hotels, restaurants and even private parking providers means that "probably tens of thousands of people" have been victims.

The POS malware is becoming much more popular for online theft for a simple reason: it offers more bucks for the bang. As The Security Ledger put it, "more and more malicious programs are ascribing to the Willie Sutton philosophy of online theft: you infect POS systems because 'that's where the money is,' or -- at least -- the data that you need to get the money."

The Dexter malware is a so-called "memory scraper" that searches for Track 1 and Track 2 data, which includes a cardholder's name, account number, encrypted PIN and other discretionary data -- enough to clone the card and use it to make fraudulent purchases.

Raff said how Dexter gains access to systems is still not known. He said Seculert is "a detection company," and does not do that kind of forensics, although the company partners with others that do.

[See also: Is it really Zeus vs. Anonymous?]

But he said 30% of the infected systems are servers and "it's unusual for servers to get infected using regular methods, mainly because they aren't being used by people to surf the Web."

"There can be many ways," he said. "It could be by attacking other machines on the same network. Or there might be a remote desktop open, and people can try to log in from there."

Roger Thompson, chief emerging threat researcher at ICSA Labs, said there is no way to tell for sure. "It's the computer equivalent of the needle in the haystack," he said. "Even if you're lucky enough to find the needle, there is simply no record of the path it took to get in."

Raff said some of the compromised companies have been notified, but Seculert would not name them publicly. "This is a privacy issue," he said, adding that if end users are concerned that their card may have been compromised, they should contact the vendor.

He said the best way for vendors to defeat Dexter is to make sure their POS systems are using encryption. "[Dexter] is checking memory, and if the device uses encryption, it would not be able to crack it," he said.

Thompson said all credit card users should monitor their bank accounts and credit cards accounts daily.

There is some debate over where Dexter is coming from and what individuals or groups might be behind it. Keith Gilbert reports at the Verizon Security Blog that an analysis showed that the IP address hosting the Dexter domains "also happens to host some Zeus related domains and several domains for Vobfus, A.K.A. the porn worm,' which has picked up steam recently and is known to deliver Zeus in some instances." He also notes that Dexter exhibited some of the same behavioral characteristics as Zeus.

Gilbert wrote that the Verizon team also found a freelancer with the username "hgfrfv" in the Russian Federation, and also found the email address as a contact.

Verizon also doesn't know how the malware is being delivered, "though our experiences suggests that servers aren't immune from drive-by exploits or phishing emails," Gilbert wrote.

Raff said Seculert is not persuaded that there is a connection to Zeus. "We looked at their blog and the way they tried to connect it to Zeus," he said. "We can do the same thing and find similarities to other families of malware. This is not hard evidence in our view."

So who is to blame? Raff said Seculert does not try to "find the adversary," but added that several partners are working on it and have come up with names, however, they are different from those posted by the Verizon team.

"We can't disclose the names," he said. "But we can say that they are fluent in English."

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationszeussecuritylegalsoftwareDexterSeculertdata protectionmalwarecybercrimeData Protection | Malware

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts