# VSkimmer Botnet Targets Credit Card Payment Terminals

**[securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/](https://securingtomorrow.mcafee.com/mcafee-labs/vskimmer-botnet-targets-credit-card-payment-terminals/)**

March 21, 2013

[Chintan Shah](https://www.mcafee.com/blogs/author/chintan-shah/)
Mar 21, 2013

6 MIN READ

**April 2**

**This blog has been updated with McAfee’s NSP detection. See end of blog.**


-----

While monitoring a Russian underground forum recently, we came across a discussion about
a Trojan for sale that can steal credit card information from machines running Windows for
financial transactions and credit card payments. The malware, vSkimmer, can detect the
card readers, grab all the information from the Windows machines attached to these readers,
and send that data to a control server. The author of the thread also discusses other
capabilities of this malware, which appears to be a successor of Dexter, but with additional
functions.

We already know
about botnets such
as Zeus and
SpyEye, which
perform financial
fraud using
extremely
sophisticated
techniques including
intercepting the
victims’ banking

transactions.
VSkimmer is
another
example of how
financial fraud
is actively
evolving and
how financial
Trojans are
developed and
passed around
in the
underground
community.
This botnet is
particularly interesting because it directly targets card-payment terminals running Windows.

Our Automated Botnet Replication Framework first saw this Trojan on January 18. We’ve
analyzed samples of this malware and figured out how it steals the credit card information
and its additional control functionalities. While performing the API tracing, we found it uses
fairly standard antidebugging techniques:

The malware collects the following information from the infected machine and sends it to the
control server:


-----

Machine GUID
from the
Registry
Locale info
Username
Hostname
OS version

This malware
uses a standard
installation
mechanism and

copies
itself as

svchost.exe into %APPDATA%, modifies the registry key to add itself under the authorized
list of apps, and runs ShellExecute to launch the process. One function of vSkimmer if the
Internet is not available is to wait for a USB device with the volume name KARTOXA007 to
be connected to the infected machine and to copy all the logs with the file name dumz.log
and the card info collected from the victim to the USB drive.

I checked by disconnecting from the Internet: The malware enumerated all the drives and
created the file dumz.log in the drive with the preceding name.


-----

## Extracting credit card information

VSkimmer maintains the whitelisted process, which it skips while enumerating the running
processes on the infected machine.

Once vSkimmer finds any running process not in the whitelist, it runs OpenProcess and
ReadProcessMemory to read the memory pages of the process and invokes the patternmatching algorithm to match the regular expression “?[3-9]{1}[0-9]{12,19}[D=\\u0061][0-9]
{10,30}\\??”)” and extract the card info read by the payment devices. This is done recursively
for every process running in the infected machine and not on the whitelist.


-----

## VSkimmer control

Before communicating with the control server, the malware B64-encodes all the machine
information collected and appends it to the URI. The encoded string follow this format:


-----

machine guid|build_id|bot_version|Windows_version|Host_name|User_Name

Next,
vSkimmer
creates the
HTTP
request and
connects to
the control
server:

While this
malware ran,
we saw the
following
response.
Note that the
commands
are within
the <cmd>
</cmd> tag.

Once
vSkimmer
receives a
response
from the server, it executes the following routine to parse the command:

Because the response from the server during execution was <cmd>null</cmd>, the malware
extracts the 3-byte command and tries to match it with the other commands implemented by
vSkimmer. First it checks if the command from the server is “dlx.”

If not, then vSkimmer checks for the “upd” command. These commands implement the
HTTP download and execute (“dlx”) and update of the bot (“upd”), respectively.

As we saw earlier in this post, vSkimmer can also grab the Track 2 data stored on the
magnetic strip of the credit cards. This track stores all the card information including the card
[number. (You can read more about the Track 2 data format on Wikipedia. The chief](http://en.wikipedia.org/wiki/Magnetic_stripe_card)
information:

Primary Account Number: the number printed on the front of the card
Expiration Date
Service Code: the three-digit number


-----

-----

## VSkimmer bot control panel

Here’s a look at the control panel of the command server:

**UPDATE**

McAfee NSP detection:


-----

Attack ID: 0x4880a600

Attack Name: BOT: VSkimmer Traffic Detected

Sigset: Intrushield Network Security Signature Set 7.5.34.10

[Chintan Shah](https://www.mcafee.com/blogs/author/chintan-shah/)
Chintan Shah is currently working as a Security Researcher with McAfee Intrusion
Prevention System team and holds broad experience in the network security industry. He
primarily focuses on Exploit and...

### More from McAfee Labs

[Crypto Scammers Exploit: Elon Musk Speaks on Cryptocurrency](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/crypto-scammers-exploit-talk-on-cryptocurrency/%20)

By Oliver Devane Update: In the past 24 hours (from time of publication) McAfee has
identified 15...

May 05, 2022 |  4 MIN READ

[Instagram Credentials Stealer: Disguised as Mod App](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealer-disguised-as-mod-app/%20)

Authored by Dexter Shin McAfee’s Mobile Research Team introduced a new Android
malware targeting Instagram users who...

May 03, 2022 |  4 MIN READ

[Instagram Credentials Stealers: Free Followers or Free Likes](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/instagram-credentials-stealers-free-followers-or-free-likes/%20)

Authored by Dexter Shin Instagram has become a platform with over a billion monthly active
users. Many...

May 03, 2022 |  6 MIN READ


-----

[Scammers are Exploiting Ukraine Donations](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/scammers-are-exploiting-ukraine-donations/%20)

Authored by Vallabh Chole and Oliver Devane Scammers are very quick at reacting to
current events, so...

Apr 01, 2022 |  7 MIN READ

[Imposter Netflix Chrome Extension Dupes 100k Users](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/imposter-netflix-chrome-extension-dupes-100k-users/%20)

Authored by Oliver Devane, Vallabh Chole, and Aayush Tyagi McAfee has recently
observed several malicious Chrome Extensions...

Mar 10, 2022 |  8 MIN READ

[Why Am I Getting All These Notifications on my Phone?](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/why-am-i-getting-all-these-notifications-on-my-phone/%20)

Authored by Oliver Devane and Vallabh Chole  Notifications on Chrome and Edge, both
desktop browsers, are commonplace,...

Feb 25, 2022 |  5 MIN READ


-----

[Emotet’s Uncommon Approach of Masking IP Addresses](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/emotets-uncommon-approach-of-masking-ip-addresses/%20)

In a recent campaign of Emotet, McAfee Researchers observed a change in techniques. The
Emotet maldoc was...

Feb 04, 2022 |  4 MIN READ

[HANCITOR DOC drops via CLIPBOARD](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/hancitor-doc-drops-via-clipboard/%20)

Hancitor, a loader that provides Malware as a Service, has been observed distributing
malware such as FickerStealer,...

Dec 13, 2021 |  6 MIN READ

[‘Tis the Season for Scams](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/tis-the-season-for-scams/%20)

‘Tis the Season for Scams

Nov 29, 2021 |  18 MIN READ


-----

[The Newest Malicious Actor: “Squirrelwaffle” Malicious Doc.](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/the-newest-malicious-actor-squirrelwaffle-malicious-doc/%20)

Authored By Kiran Raj Due to their widespread use, Office Documents are commonly used
by Malicious actors...

Nov 10, 2021 |  4 MIN READ

[Social Network Account Stealers Hidden in Android Gaming Hacking Tool](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/social-networks-account-stealer-hidden-in-android-gaming-hacking-tool/%20)

Authored by: Wenfeng Yu McAfee Mobile Research team recently discovered a new piece of
malware that specifically...

Oct 19, 2021 |  6 MIN READ

[Malicious PowerPoint Documents on the Rise](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/malicious-powerpoint-documents-on-the-rise/%20)

Authored by Anuradha M McAfee Labs have observed a new phishing campaign that utilizes
macro capabilities available...

Sep 21, 2021 |  6 MIN READ


-----

-----