• Total Posts: 28035
  • Total Topics: 8051
  • Online Today: 772
  • Online Ever: 51419
  • (01. January 2010., 09:27:49)

Author Topic: VSkimmer Botnet Targets Credit Card Payment Terminals  (Read 1787 times)

0 Members and 1 Guest are viewing this topic.


  • SCF VIP Member
  • *****
  • Posts: 711
  • KARMA: 114
  • Gender: Male
  • Pez
VSkimmer Botnet Targets Credit Card Payment Terminals
« on: 22. March 2013., 07:53:03 »
VSkimmer Botnet Targets Credit Card Payment Terminals

While monitoring a Russian underground forum recently, we came across a discussion about a Trojan for sale that can steal credit card information from machines running Windows for financial transactions and credit card payments. The malware, vSkimmer, can detect the card readers, grab all the information from the Windows machines attached to these readers, and send that data to a control server. The author of the thread also discusses other capabilities of this malware, which appears to be a successor of Dexter, but with additional functions.

"click the images to get them larger !"

We already know about botnets such as Zeus and SpyEye, which perform financial fraud using extremely sophisticated techniques including  intercepting the victims’ banking transactions. VSkimmer  is another example of how financial fraud is actively evolving and how financial Trojans are developed and passed around in the underground community. This botnet is particularly interesting because it directly targets card-payment terminals running Windows.

Our Automated Botnet Replication Framework first saw this Trojan on February 13. We’ve analyzed  samples of this malware and figured out how it steals the credit card information and its additional control functionalities. While performing the API tracing , we found it uses fairly standard antidebugging techniques:

The malware collects the following information from the infected machine and sends it to the control server:

• Machine GUID from the Registry

• Locale info

• Username

• Hostname

• OS version

This malware uses a standard installation mechanism and copies itself as svchost.exe into %APPDATA% , modifies the registry key to add itself under the authorized list of apps, and runs ShellExecute to launch the process. One function of vSkimmer if the Internet is not available is to wait for a USB device with the volume name KARTOXA007  to be connected to the infected machine and to copy all the logs with the file name dumz.log and the card info collected from the victim to the USB drive.

I checked by disconnecting from the Internet: The malware enumerated all the drives and created the file dumz.log in the drive with the preceding name.

Extracting credit card information

VSkimmer maintains the whitelisted process, which it skips while enumerating the running processes on the infected machine.

Once vSkimmer finds any running process not in the whitelist, it runs OpenProcess and ReadProcessMemory to read the memory pages of the process and invokes the pattern-matching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively for every process running in the infected machine and not on the whitelist.

VSkimmer control

Before communicating with the control server, the malware B64-encodes all the machine information collected and appends it to the URI. The encoded string follow this format:

• machine guid|build_id|bot_version|Windows_version|Host_name|User_Name

Next, vSkimmer creates the HTTP request and connects to the control server:

While this malware ran, we saw the following response. Note that the commands are within the <cmd> </cmd> tag.

Once vSkimmer receives a response from the server, it executes the following routine to parse the command:

Because the response from the server during execution was <cmd>null</cmd>, the malware extracts the 3-byte command and tries to match it with the other commands implemented by vSkimmer. First it checks if the command from the server is “dlx.”

If not, then vSkimmer checks for the “upd” command. These commands implement the HTTP download and execute (“dlx”) and update of the bot (“upd”), respectively.

As we saw earlier in this post, vSkimmer can also grab the Track 2 data stored on the magnetic strip of the credit cards. This track stores all the card information including the card number. (You can read more about the Track 2 data format on Wikipedia. The chief information:

• Primary Account Number: the number printed on the front of the card

• Expiration Date

• Service Code: the three-digit number

VSkimmer bot control panel

Here’s a look at the control panel of the command server:

Orginal article: Thursday, March 21, 2013 at 11:20am by Chintan Shah
Their is two easy way to configure a system!
Every thing open and every thing closed.
Every thing else is more or less complex.

Start Turfing !,8405.msg21475.html#msg21475

Samker's Computer Forum -

VSkimmer Botnet Targets Credit Card Payment Terminals
« on: 22. March 2013., 07:53:03 »


  • SCF Advanced Member
  • ***
  • Posts: 329
  • KARMA: 41
  • Gender: Male
Re: VSkimmer Botnet Targets Credit Card Payment Terminals
« Reply #1 on: 22. March 2013., 19:40:17 »
Wooah :-o What kind of Trojan!
Extremely interesting case! :-\
I'm old man but still alive as well :)


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising