Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Two Aloha 6.4 Stores Infected with Alina POS Malware - Credit Cards Compromised

Status
Not open for further replies.

HackedPOS

IS-IT--Management
Feb 19, 2013
2
US
I created a new account in an attempt to protect my identity. I work technical support for the franchisor, providing technical support for our stores.

On Friday, February 16, 2013 a secret service agent of the FBI called one of our store owners saying at least nine credit cards had been compromised and the bank had traced the common source between the nine cards back to their store. I was made aware of this on Monday, February 18. A google search of the agent's name verified the call was legitimate, the agent's name appeared in a news article about a presidential assassination attempt. A google search of the phone number provided was for the secret service. Upon hearing this information, the first thing I did was log in remotely and run two log-generating programs : OTL and DDS. The antivirus software on the BOH was Microsoft Security Essentials - and it was showing green. This means there were no problems with it. MSE will show red when attention is needed (like if it finds a threat) or yellow if a scan hasn't run in a while or if it hasn't been updated in a while. I opened MSE and checked the history and it showed no problems. I then performed a manual update and when I ran this update, it found and quarantined a password stealer. The definitions for this threat were last updated February 17, 2013.

The OTL log showed the following files/folders created in the last 30 days:

Code:
[color=#E56717]========== Files/Folders - Created Within 30 Days ==========[/color]
 
[2013/02/02 06:40:21 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\PCHealth
[2013/02/01 13:19:08 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\My Documents\January
[2013/01/30 16:48:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Ofsici
[2013/01/30 16:48:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Gyom
[2013/01/30 16:48:26 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Cuxoqy
[2013/01/30 11:58:48 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Local Settings\Application Data\Identities
[2013/01/30 11:58:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Ypmim
[2013/01/30 11:58:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Inid
[2013/01/30 11:58:22 | 000,000,000 | ---D | C] -- C:\Documents and Settings\Owner\Application Data\Besep
[2008/07/15 13:58:52 | 000,308,600 | ---- | C] (Symantec Corporation) -- C:\Documents and Settings\All Users\Application Data\NortonProtectionMemo.exe
[6 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]

In addition, OTL listed the following running process:

Code:
PRC - [2013/02/18 07:29:11 | 000,658,432 | ---- | M] () -- C:\Documents and Settings\Owner\Application Data\desktop.exe

Research of this line revealed the BOH had been infected with Alina malware. Search results were sparse (and new). Most information seems to be coming from a French security researcher who goes by the name Xylitol. Here is a posting from his blog about Alina:


Xylitol also posts some information about Alina in this forum thread that he started:


There is also this bulletin by Symantec:


I believe the malware is using a service similar to rdasrv.exe to scrape the credit card numbers from memory. Sophos explains this here:


When we discovered this happening, we put the terminal into the offline redundancy mode and powered off the BOH. Our plan is to create an Acronis 2011 / 2012 full disk image to send to the secret service / FBI. I then performed a full file backup of the C: drive using RichCopy. Then, I booted from a Windows XP disc, deleted the C: partition and started a fresh install.

Basically, this post isn't so much a question, but more to get some discussion going. Has anybody else seen this yet? It's both new and impressive.
 
Have not seen anything like this. I appreciate the post though, in case I run across anything suspicious on my systems, it's good to know what to look for.

 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top