Android malware with hidden message for Security Analysts (June 19, 2015)

/in /by

In today’s internet age malware as a threat has gained immense visibility and awareness about its dangers. Many companies have a budget allocated to safeguard their products and services against such threats. In an effort to thwart a fast spreading malware, it generally goes through static and dynamic inspection that may be automated or done manually by security researchers to understand it and provide remediation for the same.

Sometimes malware writers hide messages meant to be seen by researchers who dissect such malicious entities as these messages are only visible to prying eyes. Dell SonicWALL Threats Research team received reports of such a self-aware Android locker malware that winks at researchers with a message in the code.

Infection Cycle

The Android Package (apk) asks for following permissions during installation:

  • System Alert Window
  • Receive SMS
  • Send SMS
  • Receive boot completed
  • Internet
  • Access network state

Upon installation once the app is started we see a lockscreen as below:

This lockscreen hinders the user from doing any activity on the device as the buttons and touch feedback do not perform any action, the only thing staring back at the user is the lockscreen. This is where malware writers usually demand for ransom, generally money, in exchange of liberating the device from the lockscreen.

In this case however we do not see any such demands, the message simply states that the device can be ‘unlocked’ if the right password is entered. As per the message on the lockscreen the trojan generates a serial number for every infected device (9476849 in our case).

Once the lockscreen sets in, an SMS is sent to 183[removed] in the background to indicate successful infection on a device. This is where the SMS Send and Receive permission is used by the app.

Lockscreen malware that display a ransom message covering the entire screen have been on the rise for both mobile devices as well as Windows machines, detailed analysis for some them can be seen on our blogs. But this malware for Android devices has a special message for security analysts who analyze it:

An Android application is made up of compiled Java code, in order to view the code and perform a static analysis of the application it has to be decompiled. This is a common practice used in Android malware analysis and the malware writers in this case have added a message for security analysts that try to decompile the application.

There have been trojans in the past that lock the device and encrypt all the files present on it in exchange of money as highlighted in one of our previous blogs. We did not see any such demands in this case and this trojan is essentially just a locker, it does not encrypt the files on the device. It wont be surprising if additional features are added to this trojan in the time to come.

Getting rid of the lockscreen is quiet easy in this case if one follows the steps listed below:

  • Unlock Developer mode by going in Settings > About Phone > Build number – Tap it 7 times
  • Enable USB debugging from Settings > Developer Options
  • Connect the device to a machine that has Android SDK installed, we will be using Android Debug Bridge(ADB) which is a command line tool that can communicate with the device
  • Double check that the device is connected and adb is able to talk with it by running – adb devices
    • The list of devices attached should have your device serial number
  • Once connected simply run – adb shell am force-stop qqkj.qqmagic
    • Here we are force stopping everything associated with the app that has the specified package name

Overall this threat can be easily countered by force-stopping the app via adb and uninstalling it, additionally we did not observe any sensitive user information being transmitted back to the attacker thereby suggesting the low potency of this threat.

Dell SonicWALL provides protection against this threat via the following signatures:

  • GAV: AndroidOS.SLocker.EG (Trojan)
  • GAV: AndroidOS.SLocker.CN (Trojan)

APK Details:

  • Package Name: qqkj.qqmagic
  • MD5: 735b4e78b334f6b9eb19e700a4c30966

Wireless Firewall Solutions for Small Offices and Distributed Enterprises

/0 Comments/in /by

If you are a small office, I have good news; the new SonicWall TZ Wireless Firewall Series now has integrated wireless. In an earlier life, the startup I was working for had a small compact office; it would be the perfect candidate for the integrated wireless product. For many, where the office is spread out or occupies multiple floors, the ability to use Access Points for an external solution would be the way to go.

Stay ahead of the threats with a product that reduces your threat surface with the security solution used by the big boys. If you are concerned that your security solution is not cutting it, now is the time to consider taking a look at the new TZ Wireless Firewall Series.

Why this is important for business owners

For the business owner, building the business is what commands your attention. Behind this is the absolute desire to avoid negative press associated with a data breach. Looking forward, the question remains “how do I use emerging trends to grow my business?” The new SonicWall TZ series gives you the confidence to grow your business and avoid embarrassing press. Security can help grow your business because a secure perimeter can be seen as a differential advantage, especially when working with enterprise customers.

Business owners are always dealing with tight budgets and look for ways to get the most out of their investment. No need to cut corners here. Both the wireless and wired products are not only affordable but over time deliver an impressively low total cost of ownership. With the TotalSecure bundle, combined with the wide range of product capabilities, the price to buy and the cost to own is something that should warrant investigation.

Over the past several years, SonicWall has invested in security to become the go-to provider of broad security solutions. With the SonicWall TZ products, there is a complete line of wired and wireless network security solutions that fit any type of business small to large. The TZ series enables businesses to achieve the same level of security on the wireless LAN that they have on their wired LAN through integrated wireless or by attaching an 802.11ac SonicWall SonicPoint wireless access point to the firewall. This high-speed “wireless network security” solution protects the WLAN by scanning wireless traffic for threats.

Why this is important for IT managers

For the small business, the IT department may be only one person. The focus is on maintaining a high performance network. The SonicWall TZ series can make the network more efficient by allocating the more bandwidth to important applications over the less important and unproductive apps. The moment you add remote or branch offices, the network becomes more complex. By deploying the same firewall across networks, the efficiencies found with one network expand to include all networks. Instead of complexity, you get simplicity.

Highly effective security can also make the life of an IT manger simpler as well. The security perimeter is much more robust when everyone has the same device and everyone can speak a common language. Our security engine is common to all of our products and has been recognized not only for security effectiveness, but value as well. Compared to Cisco we are more affordable; compared to Fortinet, we perform better; and compared with Palo Alto, we have a wider product offering for small businesses. With the multiple products we offer, there is a solution designed to fit your specific needs and your budget.

Network security is not a one shot event; it is a long-term race with many twists and turns. If you followed the Tour De France, you can see plenty of similarities. If you are going to wear the yellow jersey you need to be a leader but you also need a strong support team to help you can meet the challenges of the road ahead. In the security race that means that you need the latest technology and a strong team supporting you. Let SonicWall ‘s winning products bring a new level of performance to your security race.

Download eBook

ATMFD.DLL Memory Corruption Vulnerability attacks spotted in the wild (Aug 4, 2015)

/in /by

CVE-2015-2387 attacks have been spotted in the wild. An elevation of privilege vulnerability exists in Adobe Type Manager Font Driver (ATMFD) when it fails to properly handle objects in memory. ATMFD.DLL in the Adobe Type Manager Font Driver in Microsoft Windows allows local users to gain privileges via a crafted application, aka “ATMFD.DLL Memory Corruption Vulnerability.” An attacker can successfully exploit this vulnerability to execute arbitrary code and take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights

Following is the analysis of the exploit:

The executable is packed and contains malicious font and exploit code. The payload (.exe) prepares the ROP gadget in usermode before it calls the vulnerable ATMDF.dll in kernel mode.

The sample opens the ntkrnlpa.exe and calls the vulnerable ATMFD.dll . The malicious exe successfully starts the cmd process with local privileges and manages to exploit the vulnerability to gain admin privileges

Running the vulnerable exe from windbg shows that the exe loads the font in memory.

Setting the breakpoint at NamedEscape shows the vulnerable dll being called.

And then the binary tries to load the malicious font (tag OTTO of OpenType font)

When the ATMFD.dll tries to process this font it leads to a buffer overflow which allows the attacker to gain admin privileges.

Dell SonicWALL Threat Research Team has researched this vulnerability and released following signatures to protect their customers.

  • GAV 20469 : Dropper.A_767
  • GAV 17022 : CVE-2015-2387

A Winning Wireless Combo – New SonicWall TZ Wireless Firewalls and SonicWall SonicPoints 802.11ac

/0 Comments/in /by

This is a guest post by Timothy Martinez, Founder and President of Western NRG, a premier partner of SonicWall Solutions.

The new  SonicWall TZ Wireless line offers comprehensive security and powerful performance for wired and wireless networks, all in one unit. These network security appliances bring huge technical strides in processing and inspection power to the TZ line, along with 802.11ac wireless, which has up to 3x the throughput of previous wireless standards. The new TZ Wireless series is a powerful all-in-one solution that is perfect for small and medium-sized businesses that are looking for top-notch network performance with the latest wireless improvements.

We have had phenomenal results deploying the SonicPoint AC wireless access points since their release earlier this year. Every customer that has implemented the AC SonicPoints has seen significant improvement in the quality and speed of their wireless network. The technical improvements of the 802.11ac wireless standard combined with the high quality of the SonicPoint hardware have made the release the best one yet. The AC SonicPoints make enterprise-class wireless accessible and affordable for anyone with a SonicWall firewall. Organizations that require large areas to have complete wireless coverage love how the SonicPoints integrate with their existing network infrastructure and can be centrally managed from a familiar and intuitive interface. Wireless technology has improved by leaps and bounds over the last five years, and the performance that customers who are using the new SonicPoint AC access points are experiencing is the truest testament to that.

The  SonicWall TZ Wireless firewall line is ideal for customers that have need for a single wireless access point for their location. Customers with networks that are distributed across multiple geographies love how the TZ Wireless solution allows them to implement a single device for network routing, security and wireless access. They also benefit from having a single integrated device because it lowers the cost and complexity of implementation and ongoing support. The new TZ line has the latest security and wireless technologies combined into one simple, desktop form-factor appliance.

One word of caution I would offer about recommending these appliances for certain environments is placement. The location of the firewall will need to be central enough in the customer location to provide adequate wireless coverage. Often, we see the location of the internet modem, and therefore the firewall is in a telco closet in the back of the building, which is generally not the ideal location to have your wireless broadcast point situated. This is something you will want to clarify in the pre-sales process in order to guarantee a successful implementation and happy customer.

The Generation 6 TZ SonicWall and SonicWall SonicPoint AC lines are the most powerful firewall and wireless products that  SonicWall has released to date. They bring true enterprise-level firewall and wireless capabilities to the SMB market with outstanding performance and rich feature sets. The SonicWall TZ Wireless line puts these great products into a single package that is ideal for security specialists and customers alike.

Download eBook

OpenSSL Alternative Chains Certificate Forgery (Aug 3, 2015)

/in /by

A few weeks ago, OpenSSL released patches that fix sereral vulnerabilities. Among the vulnerabilities, the “Alternative Chains Certificate Forgery” can lead to man-in-the-middle (MITM) attacks.

This MITM vulnerability affects OpenSSL versions 1.0.2c, 1.0.2b, 1.0.1n and 1.0.1o. During certificate verification, OpenSSL will attempt to find an alternative certificate chain if the first attempt to build such a chain fails. An error in the implementation of this logic can mean that an attacker could cause certain checks on untrusted certificates to be bypassed, enabling them to use a valid leaf certificate to act as a CA and “issue” an invalid certificate.

The vulnerability is referred by CVE as CVE-2015-1793.

Dell SonicWALL has released an IPS signature to detect and block exploitation attempts targeting this vulnerability. The signature is listed below:

  • 11041 OpenSSL X509_verify_cert Function Security Bypass

Dell SonicWALL has observed several attack attempts in the past week:

Targeted IPs affected by the vulnerability:

PlugX Trojan was seen making the rounds (July 30, 2015)

/in /by

The Dell SonicWALL Threat Research team has received reports of a Trojan called PlugX or Korplug which has recently been seen compromising various U.S. Government entities and other industries such as aerospace, media, healthcare and telecommunication networks. This Trojan has been reported to be in existence since 2008 and over the few years, PlugX has seen continuous development and use in targeted attacks resulting to theft of sensitive information.

Infection Cycle:

PlugX has previously been seen bundled with online game installations but more recently seen delivered via email spear phishing. These emails would contain a malicious rich text document which utilizes vulnerabilities in Microsoft Word which could allow remote code execution. Several variants have leveraged exploits for CVE-2012-0158 and CVE-2014-1761; both of which have been resolved by Microsoft.

Once dropped on the victim machine, the main installer of this Trojan comes as a self-extracting RAR file and may use the following icons:

More recent variant of this Trojan creates these files in the following directories:

  • %Userprofile%SxSNvSmart.exe – a benign file with a valid digital signature from a well-known vendor (e.g. Symantec, Microsoft, McAfee, Samsung and in this case, Nvidia)
  • %Userprofile%SxSNvSmartMax.dll – malicious dll [Detected as GAV: PlugX.DLL (Trojan) ]
  • %Userprofile%SxSxxx.xxx – a configuration file

NvSmart.exe imports functions from NvSmartMax.dll. In a typical installation, it would load the legitimate Nvidia library but since a malicious DLL with the same name is present in the same directory, that malicious library will be used instead.

Upon execution, this Trojan spawns and injects its code into svchost.exe, possibly to evade detection.

During our analysis, we have seen this Trojan take desktop screenshots every 10 seconds and saved them in a directory.

It also logged all active windows in a text file.

Apart from what was observed, this Trojan has been reported to have the following capabilities:

  • Communicate to several C&C servers
  • Collect history information of visited URLs from different browsers
  • Remote access/Backdoor functionalities: download, execute, create, delete and enumerate processes; administrative control over a target system
  • Log keystrokes

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: PlugX.BK (Trojan)

  • GAV: PlugX.BK_2 (Trojan)

  • GAV: PlugX.DLL (Trojan)

  • GAV: PlugX.KOR (Trojan)

Stagefright – One of the most threatening Android exploit ever discovered (July 30, 2015)

/in /by

A new security vulnerability in Android OS which is collectively being dubbed by the security world as the “worst Android vulnerability” discovered till date has surfaced leaving millions of Android devices susceptible. This vulnerability has been coined as Stagefright by the research team that unearthed it.

The potency of a vulnerability often stems from the ease with which it can break the security of a target system. Stagefright trumps this condition as the attack can be remotely executed successfully without any user intervention.

Most of the Android devices today have Google Hangouts set as the default messaging application. The vulnerability comes from the way in which Hangouts handles messages. If an MMS message containing a video is received by Hangouts it starts the initial processing and keeps the video ready in the gallery to be viewed along with a preview in the message notification, this is done even before the user opens the message. So if an attacker sends a MMS message having a video and the malware code, Hangouts starts processing the message but inadvertently ends up executing the bundled malicious code.

Complete details about the vulnerability have not been released yet but based on a number of security forums, certain fields of a video metadata can be used to perform buffer overflow thereby allowing the attacker to execute malicious code on the device. More details about this vulnerability will be made public by the research team along with proof-of-concept exploit code at the BlackHat Security conference on August 5.

Google has already acknowledged the vulnerability and patched it in quick time. Unfortunately only the Nexus line of Google devices receive patches directly from Google, devices from other brands have to rely on manufacturers and carriers for software updates. Until then it is recommended to disable the “Auto retrieve MMS” feature from messaging apps:

  • Hangouts: Select settings and choose SMS, then uncheck “Auto retrieve MMS”

  • Messaging: Select options from upper right corner to go in Settings, there uncheck “MMS auto download”

  • As a precaution it is recommended to disable functionality similar to “Auto Retrieve” from other messaging apps as well, for example Whatsapp:

Dell SonicWall Threats Research team will continue to monitor developments on this vulnerability and update our blogs accordingly.

Combat Cyber Espionage with New SonicWall TZ Wireless Firewalls

/0 Comments/in /by

How many times have you heard the phrase, “Your data is your most valuable possession?” Pretty often I bet. And it’s true. The information your organization keeps is extremely important not only to you, but to your customers as well.

I was thinking about this the other day while watching a scene from the movie “The Incredibles” where the superhero mom tells her daughter, “Your identity is your most valuable possession. Protect it.” That’s good advice, whether it’s data, records or even the identity of your employees or your customers. Protecting the things that are valuable to your organization from the seemingly relentless onslaught of theft is critical in today’s world.

Every day we are all potential victims of cyber-espionage. It doesn’t matter what size your organization is. Sure, the bigger the victim the larger the headline. To safeguard our customers against attack, today SonicWall has announced the new SonicWall TZ Wireless firewall series which combines enterprise-grade security, deep packet inspection of SSL-encrypted traffic and integrated high-speed 802.11ac wireless for small and medium-sized businesses and distributed enterprises.

Back in April we announced our new lineup of secure, high-performance SonicWall TZ series firewalls that help both small and medium-sized businesses (SMBs) and large distributed enterprises protect their most valuable assets. The TZ series allows SoincWall to offer market-leading security solutions to its customers at a price that fits under even the tightest budgets. With these new firewalls, small organizations can afford the same security effectiveness as large enterprises.

One of our premier partners, Western NRG, has already experienced the incredible benefits of the new TZ wireless firewalls.

“Since I upgraded my remote office from a TZ 105 Wireless to the new TZ500 Wireless I have noticed a substantial increase in my Internet speeds! I am truly taking advantage of the 100Mb download offering from my ISP. In addition, I have also added the new SonicPoint ACi to the network. The boys at NRG configured the TZ500 Wireless and the SonicPoint ACi to use the 5GHz radio and a single SSID which allows me to connect anywhere in the multi-story 3400 square foot facility and have seamless wireless access to networking resources now with amazing speeds!” said Tim Martinez, president of Western NRG, Inc.

The TZ Wireless series takes security and performance another giant step forward with built-in secure WiFi connectivity. And not just any WiFi. With these new firewalls, our customers can have the same level of protection and performance on their wireless networks as they do on their wired networks.

If you’re familiar with the benefits of 802.11ac, good for you. If you’re not, there are plenty of articles you can read on the subject. Even better, check out Scott Grebe’s blog titled “Three Reasons to Make the Jump to 802.11ac.”If you don’t have the time, here is the abbreviated version.

  • 802.11ac is really fast. It’s about 3x faster than its predecessor 802.11n. Faster speed means greater employee productivity and a better user experience.
  • 802.11ac enhances the quality of the wireless signal. Ever have a poor WiFi or cellular connection? How did that make you feel?
  • 802.11ac plays well with earlier wireless standards. In other words, it’s backward compatible with WiFi devices that use the 802.11n, b, g or a standards like your mobile phone, tablet and laptop so you can continue to use them to connect to the wireless network if you want.

The integration of high-speed wireless into our TZ series firewalls is good news for SonicWall customers. It enables us to offer them a complete security solution for wired and wireless networks of all sizes. SMBs love the highly integrated nature of the TZ series along with the simplified setup and management. Configuration of the LAN and wireless LAN and accompanying security is all done through the appliance’s GUI. So is the management. Distributed enterprises also enjoy these same benefits, however many take things a step further by adding our award-winning Global Management System (GMS) to enable centralized management and reporting of multiple TZ series firewalls deployed in different locations.

With the introduction of our new TZ Wireless series we have our strongest lineup ever of wired and wireless firewall solutions for SMBs and distributed enterprises. Whether it’s our customers’ data, their records or even their superhero identities, we’re able to protect it like no one else. If you want to learn more about the TZ series including our new wireless models featuring 802.11ac, check out the TZ series page on our website.

Five Essentials for Best of Breed Next Gen Firewalls

/0 Comments/in /by

Beyond basic network firewall testing scenarios, the specialized firewall testing tools needed to accurately assess next-generation firewall (NGFW) security effective remain out of reach to any but the largest IT department budgets. Therefore, most organizations look to independent hands-on test results from respected research laboratories such as NSS Labs. NSS Labs uses a very specific testing methodology that is run on each of the NGFWs being tested. Their Next-Generation Firewall Product Analysis Report provides detailed information on how a specific firewall scored when tested in these key essential areas:

  • Security Effectiveness
  • Performance
  • Stability and Reliability
  • Management and Configuration
  • Total Cost of Ownership

Security Effectiveness

Security effectiveness verifies that the firewall being tested is capable of enforcing the security policy effectively. Security effectiveness tests include:

Firewall Policy enforcement

 Incremental tests that build configuration from simple to complex real world policy consisting of many addresses, policies, applications, inspection engines, protection from DoS attacks, IP spoofing.

Application Control

 Firewall is tested to see if it can correctly determine application regardless of ports/protocols used and enforce appropriate application policy granularity.

User/Group ID aware policies

 Correctly determine user/group from deep packet inspection and enforce policy with user awareness.

Intrusion Prevention

 Correctly block malicious traffic “out of the box” using the default policy (for this test no IPS tuning is allowed).
Evasion Decode/Block basic obfuscated exploits and provide accurate alert based on the actual attack not be fooled by the evasion technique itself.

How did SonicWall next-generation firewalls do? Passed all criteria. Noteworthy SonicWall results included a 97.9 percent exploit block rate. No NGFW tested achieved 100 percent exploit block rate due to constantly changing NSS Labs test suite. However, over the last three years SonicWall has consistently been rated in the leaders quadrant and has demonstrated consistent improved block rate year over year.

Performance

Measures how well a given NGFW performs when subjected to various traffic conditions. No two networks will have the exact same characteristics but this test does provide metrics to gauge if a given NGFW is appropriate in a given environment.

Raw Packet Processing Performance (UDP packets of various sizes are tested) Measures raw packet processing capability of each of the NGFWs in-line port pairs, packet forwarding rate is measured for highest performance /lowest latency.
Latency (packet loss/average latency) Determine the effect the NGFW has on traffic passing through it under various loads. Traffic passes through all port pairs simultaneously.
Maximum Capacity ( generates TCP session based connections and HTTP transactions) Stress the inspection engine with Multi-Gigabit “Real World” traffic generated to determine expected user response times, max connections per second, concurrent open connections, application transaction per second on a backdrop of a heavily utilized network.
HTTP Capacity ““ No Transaction Delay (uses HTTP GET request) How much HTTP traffic can be passed of varying packet sizes and various connection per second loads.
Application average response time ““ HTTP (across all in-line port pairs simultaneously) Measures average HTTP latency using various packet sizes at 90 percent of max load.
HTTP Capacity with Transaction Delay Same as above except introduces 5 second server response delay, forces a high number of open connections.
Real World Traffic (generates protocol mix usually seen by industry verticals, i.e. Financial, education, Data Center, Mobile Carrier, etc”¦ ) Same as previous test, excepts adds additional protocols and real content.

Stability and Reliability

These tests measure how well a next-generation firewall passes legitimate traffic while under attack. To pass, the NGFW must be able to block and alert on 100 percent of the attacks previously blocked while remaining operational.

Blocking under Extended Attack Measures consistency of Blocking. Sends continuous policy violations at 100Mbps over 8 hours.
Passing Legitimate Traffic Under Extended Attack Same as previous test except legitimate traffic is sent in addition. NGFW must pass all legitimate traffic.
Behavior of State Engine Under Load ( Can the NGFW preserve state across large number of connections over extended time. Must not exhaust resources allocated to state tables or “˜leak’ connections through after theoretical max concurrent connection is reached.
Protocol Fuzzing and Mutation Sends random, unexpected, or invalid data to the NGFW, verifies NGFW remains operational and detects/blocks exploit throughout the test.
Power Fail Power is turned off while passing traffic, NGFW should fail closed after power is cut.
Persistence of Data Measures if NGFW retains policy, configuration, log data when restored from power failure.

Total Cost of Ownership and Value

Measures overall costs over of deployment, maintenance and upkeep over the useful life of the product.

Product Purchase Cost of acquisition
Product Maintenance Fees paid to vendor (hardware maintenance, subscription services, etc”¦)
Installation Time required to make the NGFW operational out of the box.
Upkeep Time required to apply vendor supplied firmware, updates, patches.

New GamaPoS malware targets US companies

/in /by

The Dell Sonicwall Threats Research team observed reports of a New POS family named GAV: GamaPOS.ABC. The POS Malware contains features such as memory scrapping functions like popular Point-of-Sale Trojan BlackPOS but this time the Malware spreading across United States through malicious emails that contain attachments such as macro-based malware Andromeda in the wild.

The POS Malware uses valid certificates to sign the malicious components to avoid detection by AVs.

Infection Cycle:

Md5s:

  • Detected as GAV: GAMAPOS.ABC (Trojan)

    • o dc035e61535d5db2ad08d6853c7759a3

    • o 6cabaef20e08803e2e9cd380aae00bc6

    • o 685f2a756a001598ec697911c2ee11cd

    • o 1c7baed4c317e610ea991751e5d9758d

    • o 575040751b4755ecf5c9394b76b5c41c

  • Detected as GAV: GAMAPOS.ABD (Trojan)

    • o 99fd9f118eaa969976f2defb61e4582e

The Malware adds the following files to the system:

  • %Userprofile%All Usersjane.exe [ Execrable dropper ]
  • %Userprofile%All Users _temp.dat [Key logger Log ]

The Malware adds the following key to the Windows registry to ensure persistence upon reboot:

The Malware uses multi component tools to grabbing information from the infected machine and uses legitimate code-signing certificates to avoid detection by AV Vendors.

GamaPOS retrieves a list of running processes; the malware is responsible for scraping the memory of current processes on the infected machine for credit card information periodically.

The malware installs key logger on the target machine and saves information to the _temp.dat file.

Here is an example:

Command and Control (C&C) Traffic

GamaPOS performs C&C communication over 1080 port. The malware sends your system information to its own C&C server via following format, here are some examples:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: GamaPos.ABC [(Trojan)]]
  • GAV: GamaPos.ABD [(Trojan)]]