Alina POS Malware

The dangers of point of sale (POS) malware were recently brought to the public's attention following breaches affecting large retailers such as Target and Neiman Marcus. Although those breaches were not the first of their kind, the widespread impact and timing of those attacks, during the Christmas shopping season, amplified their significance. [1] POS malware, also known as RAM scrapers, infect a system and seek to harvest payment card data. Although payment card industry data security standards (PCI DSS) require payment card information to be encrypted when transmitted over a network or stored, the data may briefly exist unencrypted in a POS system’s volatile memory.  Sometimes, the data may persist in RAM even after the transaction has completed. This environment provides criminals with a prime opportunity to harvest data. Payment card data formats are defined in the ISO/IEC 7813 and 7816 standards, which criminals can use as a guidebook to build search algorithms to seek out relevant information. The POS malware searches for payment card data in its unencrypted form in the POS system’s RAM. The malware then returns that data to a server.[2] The stolen data is most often sold on the black market, resulting in credit card fraud and other types of identity theft.[3]

 

Alina is POS malware that is currently used by threat actors. The earliest version of Alina was discovered in October 2012.  Alina’s installation process is not particularly unique. In versions 0.1 through 1.0, once present on a POS system, Alina checked for the argument ‘ALINA=<executable_path_name>’. If the argument was supplied, Alina deleted the executable name and installed nothing. If the argument was not found, Alina would initialize installation, copying itself to the following path: %TEMP%\ALINA_<6_random_letters>.exe. Alina then modified the registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ALINAhuahs  and wrote the location of the previously copied executable, to ensure persistency. Finally, Alina used the argument ‘ALINA=’ to call the new executable, pointed the argument to itself, and ensured the original file was deleted.[4]

 

Versions 2.x – 4.x employed a more stealthy installation method.  Instead of installing to ‘ALINA_<6_random_letters>.exe’, the malware copied itself to the %TEMP& directory and randomly used one of seven malware names:

  • java.exe
  • jusched.exe
  • jucheck.exe
  • desktop.exe
  • adobeflash.exe
  • msupdate.exe
  • windowsfirewall.exe

 

To ensure persistency, Alina then installed to the registry key that corresponded with the chosen malware name. The malware then checked for previously installed versions and removed them.  Additionally, beginning in version 2.1, Alina used Ultimate Packer for eXecutables (UPX) to pack the malware. UPX allowed the authors to reduce the size of the malware and to hide any strings, which may have otherwise been detected by anti-virus software, within the executable.[5]

 

In version 5.0, Alina no longer used a randomly chosen malware name. Instead, Alina used the victim’s volume serial number to select from one of the following eleven malware names:

 

  • defender.exe
  • explorer.exe
  • svchost.exe
  • scvhost.exe
  • ctfmon.exe
  • rundll32.exe
  • cmd.exe
  • csrss.exe
  • dasHost.exe
  • services.exe
  • Taskmgr.exe

 

Beginning with version 5.2, Alina included an attempt at counter-forensic measures. It used a crypter written in Visual Basic to obfuscate the binary, making it more difficult to reverse engineer the malware. In version 5.5, Alina included UPX Protector, which prevents UPX from being easily unpacked by corrupting the header. [6]

 

The magnetic strips on a payment card contain what is known as track data. Track 1 and Track 2 data are commonly used for retail POS transactions. Track 1 and Track 2 data include the card number, card type (debit or credit), cardholder’s name, expiration date, service code, and discretionary data. Types of discretionary data written to the track vary per card issuer and sometimes include a card’s code or personal identification number (PIN).[7] Pre-5.x versions of Alina used a consistent method for track data aggregation. First, the malware created an array of processes to monitor via calls to CreateToolhelp32Snapshot(), Process32First(), and Process32Next(), ignoring select blacklisted processes. Next, Alina looped through each process, read pages of memory via calls to VirtualQueryEx() and ReadProcessMemory(), and targeted RAM with read/write privileges. Alina then used regular expressions to find Track 1 and Track 2 data in the memory. Finally, Alina exfiltrated relevant data and started the process again. Beginning with version 5.x, Alina used multithreading to reduce the chance of overlooking any track data. [8]

 

Versions .1 through 1.0 of Alina exfiltrated data in cleartext via the POST parameter. Beginning with version 2.0, Alina obfuscated track data by XORing it with a key of 0xAB then converting it to hex. What makes Alina so interesting is its use of a command and control (C&C) server. Version 2.1 included the addition of a C&C server. The C&C functions allowed the author to update the malware, including the exfiltration URLs, and to change the time interval between update requests. The C&C function also served as a backdoor, allowing the author to potentially install other malware as well. In version 3.1, Alina began requiring a 666 status code from the remote server. This version also added support for three exfiltration URLs. If one URL responded with the wrong status code or was unavailable, Alina tried the next.  Beginning in version 5.2, Alina used a different encryption algorithm to obfuscate exfiltrated data.  The algorithm used the first 76 bytes of data XORed against the key of 0xAA, and all remaining data XORed against a key based off the decoded data at byte offsets 18 through 35. [9]

 

Alina continues to evolve, and Alina’s code now serves as the foundation for the JackPOS malware. As of February 2014, over 4500 payment cards belonging to U.S. and Canadian users have been compromised by JackPOS.[10] Alina’s persistent nature and the author’s ability to alter Alina via the C&C console makes combatting this malware a difficult task. HP Security Research (HPSR) recommends using intrusion protection system (IPS) filters to detect and block Alina POS Malware . In addition to specific POS Malware filters, HP has the ability to block communications to the C&C servers using techniques that are not appropriate for general disclosure (for more information, please contact an HP Enterprise Security Products (ESP) System Engineer).



Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.