Underscoring the growing sophistication of Internet crime, researchers have documented one of the first known botnets to target point-of-sale (PoS) terminals used by stores and restaurants to process customers' credit and debit card payments.

The botnet remained active at the time of writing and had compromised more than 20,000 payment cards since August, researchers from IntelCrawler, a Los Angeles-based security intelligence provider, told Ars. The researchers arrived at the findings after infiltrating one of the control servers used to send commands to infected machines and receive pilfered data from them. A recently captured screenshot (above) showed that it was controlling 31 machines that the researchers said belonged to US-based restaurants and retailers. Some of the infected machines are servers, so the number of affected PoS devices could be much higher. The researchers have reported their findings to law enforcement agencies that they declined to identify by name.

PoS-based hacking is nothing new. The best-known incident stole data for more than 146,000 cards after infecting 200 terminals used at Subway Sandwich shops and other small merchants. According to federal prosecutors, the criminals behind that intrusion infected one or more servers with "sniffing" software that logged payment card numbers and sent them to a remote server. Although the now-convicted crooks were able to install a backdoor on the computers they accessed so they could change configuration settings and install new programs, there is no evidence of a botnet that actively controlled the infected machines in lockstep.

The infections observed by IntelCrawler, by contrast, are much more advanced. They allow attackers to corral large numbers of PoS devices into a single botnet. The interface makes it easy to monitor the activities of infected machines in real time and to issue granular commands. In short, they are to PoS terminals what ZeuS, Citadel, and other banking trojans are to online bank accounts. The code helping to streamline the process has been dubbed StarDust. It's a major revision of Dexter, a previously discovered piece of malware targeting PoS devices that has already been fingered in other real-world payment card swindles.

"The unique side of our case is that it is a real botnet with C&C functions, which is active close to half a year and controlled by a group of criminals which has a new type of Dexter," IntelCrawler CEO Andrey Komarov wrote in an e-mail. "The infected PoS merchants are installed in different places and cities... which makes it different as the bad actors infected them separately and then organized a botnet from it."

Not your father's PoS malware

StarDust developers have intimate knowledge of the inner workings of PoS applications such as Clearview PoS. As a result, the malware can ferret out where in computer memory sensitive data, in some cases in cleartext form, is stored. StarDust can also sniff network traffic and is able to extract Track1 and Track2 card data. To remain covert, the software transfers card details only when the terminal is inactive and the screensaver is on. It also uses the RC4 cipher to encrypt data before sending it to the control server.

The discovery comes as researchers from a separate security firm called Arbor Networks published a blog post on Tuesday reporting an active PoS compromise campaign. The advisory is based on two servers found to be hosting Dexter and other PoS malware. Arbor researchers said the campaign looks to be most active in the Eastern Hemisphere. There was no mention of a botnet or of US restaurants or retailers being infected, so the report may be observing a campaign independent from the one found by IntelCrawler.

It remains unclear how the attackers manage to initially infect PoS terminals and servers that make up the botnet. In the past, criminals have targeted known vulnerabilities in applications that many sellers of PoS software use to remotely administer customer systems. Weak administrator passwords, a failure to install security updates in a timely fashion, or unknown vulnerabilities in the PoS applications themselves are also possibilities.

StarDust, which is sometimes referred to as Dexter V2, appeared in underground markets a few months ago. It appears to be based on Dexter source code that was leaked online after developers had professional differences. As much as 80 percent of the malware targeting PoS systems are developed in Russian-speaking countries, Komarov estimated. The command server and a backup system are located in Moscow and Saint Petersburg in the Russian Federation. He said the people running them are part of the SharkMoney.CC gang and have ties to the Russian Business Network, a provider of "bullet-proof" hosting for criminals.

Dexter was originally reported by Israel-based Seculert. While the capabilities of the malware have been known for 12 months, IntelCrawler's analysis is among the first to document an active botnet that runs on a variant of the malware. It's also one of the first to report its transformation to StarDust and its enhanced ability to extract card data.

Story updated to remove "first" from headline and add last paragraph, add "some cases" to sixth paragraph.

Listing image courtesy of Wikipedia.